Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability

From: Fabio Pietrosanti (naif) (fabio_at_pietrosanti.it)
Date: 08/25/03

  • Next message: Alexander V. Nickolenko: "SNMPc v5 and v6 remote vulnerability" 
    Date: Mon, 25 Aug 2003 11:44:58 +0200
To: BUGTRAQ <BUGTRAQ@securityfocus.com>

    On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:
    > In case anyone needs a SNORT rule to catch attempts to exploit this
    > vulnerability:
    >
    > #-----
    > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet
    > Explorer Object Data Remote Execution Vulnerability"; \
    > content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
    > nocase; flow:from_server, established; \
    > reference:cve,CAN-2003-0532; \
    > classtype:web-application-activity; rev:1;)
    > #-----

    This rules catch the response with the exploit's payload from the server that
    may change depending on the exploits so matching the CLSID of WSH does not
    detect the "vulnerability" beeing exploited but this specific exploits.

    Altought there are many way of exploiting this vuln without using the Window
    Scripting Host, it's possible to use it in many way like:

    - VBScript

       CreateObject("WScript.Shell")

    - JavaScript

      new ActiveXObject("WScript.shell");

    or like in the demostration with the <object> tag .

    The only way to detect it is to look at the data sent by the client beeing
    exploited ( which can probably bypassed with fancy mhtml base64 encoded e-mail
    or with an e-mail with a link to a site available in https )

    For an effective signature we need a regexp that will catch everything
    that start with <object, reach the field data= and look at the end of the string inside
    "" matching everything that's NOT an unsafe extension ( .exe, .pif, .cab, etc, etc ) .

    In perl should be something like:

    /date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/ ( tnx Md )

    Regards 

    --
Fabio Pietrosanti ( naif )
E-mail: fabio@pietrosanti.it - naif@s0ftpj.org - naif@sikurezza.org
PGP Key available on my homepage: http://fabio.pietrosanti.it/
--
Security is a state of being, not a state of budget. rfp 
--
  • Next message: Alexander V. Nickolenko: "SNMPc v5 and v6 remote vulnerability"

    Relevant Pages

    • [Global InterSec 2002062801] OpenSSH challenge-response buffer overflow (Update)
      ... OpenSSH, a popular server utility that provides encrypted connections ... It is the current belief of many that exploiting the recently disclosed ... restricts the platforms on which this vulnerability may be exploited. ... this advisory, the sshd binary must have been compiled with PAM support. ...
      (Bugtraq)
    • What is the fallout from MSHTA.exe vulnerability?
      ... loaded a web page that had a script that exploited the MSHTA/scripting ... vulnerability. ... that worst-case scenario aside, what are some of the more common ... scenarios when exploiting this vulnerabilty? ...
      (microsoft.public.windowsxp.general)
    • Re: Need substitutes for AVG and AdAware
      ... exploiting a vulnerability in the way certain file types are handled. ... The point being that when malware is presented to you in such an obvious ... their win-98 system, that's hardly a reason to "upgrade" to XP just so ...
      (alt.comp.anti-virus)
    • [SECURITY] [DSA 119-1] ssh channel bug
      ... Vulnerability: local root exploit, remote client exploit ... have an off-by-one bug in the channel allocation code. ... malicious server exploiting a client with this bug. ... The Debian unstable and testing archives do include a more recent OpenSSH ...
      (Bugtraq)