RE: Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list)From: Deus, Attonbitus (Thor@HammerofGod.com)
- Previous message: Deus, Attonbitus: "Eudora Logging"
- Maybe in reply to: Menashe Eliezer: "Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Apr 2002 07:54:43 -0700 To: "Menashe Eliezer" <firstname.lastname@example.org>, "3APA3A" <3APA3A@SECURITY.NNOV.RU> From: "Deus, Attonbitus" <Thor@HammerofGod.com>
-----BEGIN PGP SIGNED MESSAGE-----
At 10:18 AM 4/25/2002, Menashe Eliezer wrote:
>The vulnerabilities' list is accessible even by unprivileged user account.
Only on a FAT drive- by default, only system, admin and the user have
permissions to access the file.
>The ability of active content to access this report depends on
>security setting of the browser.
>For example, signed ActiveX that runs in browser with low security
>setting, doesn't need user's approval. User can also choose not be asked
>whether to launch ActiveX that is signed by a specific signer. In such case,
>The ActiveX doesn't have to be safe for scripting. The ActiveX can do
>without being scripted at all.there's no need for low security setting of
Please just stop it. This has *nothing* to do with MBSA. If people have a
low browser security setting and go around downloading signed (or unsigned
for that matter) ActiveX controls then that it their problem, not
MBSA's. Even the examples on your web site require much interaction of the
user and the explicit loading and executing of the controls. This is bogus.
There IS a need for low security for the rouge ActiveX control to be
downloaded in the first place. The reason the "safe for scripting" issue
was raised by 3APA3A is that he knows some may have the "Script ActiveX
controls marked safe for scripting" turned on... In that case, only these
types of controls could be used to access the information, and they would
already have to be installed and marked "safe for scripting."
>You can access this report even without active content.
>All you need is a limited exploit that just allows you to read a file.
>Deus Attonbitus wrote:
>DA>but the script would also have to be able to discern the currently logged
>DA>on user in order to see where to look in the "Documents and Settings"
>1. Discern the currently logged on user - It's a simple Win32 API.
>2. Code can simply look for "Security Scans" folder in tree.
You contradict yourself... Without the ActiveX control, your "limited
exploit" to read the file would not be able to run the API call to find out
the username. You might be able to use something old to known filename in
a known location, but where is the "limited exploit" that allows directory
recursion? Besides, you don't even know the name of the XML file- unless
you also guess the domain, the computer name scanned, and the exact date
and time (to the second) that the scan was made.
Let's break it down... Here is what would have to happen:
1) Admin downloads and runs MBSA.
2) MBSA tells Admin that he is running on FAT, that the IE Internet zone
security is low, that the Outlook security zone is low, and that he has
missing patches for known issues.
3) Admin ignores all messages, does nothing to secure his system, and goes
about his day whistling "Jimmy crack corn and I don't care."
4) You magically discern who this admin is, and get him to visit your web
site using Jedi Mind Trick.
5) You got Microsoft sign an ActiveX control that allows you to take full
control over user's box.
6) User downloads control.
7) You use this control to read the MBSA XML file, when you already had
full control over the box.
8) You find out what patches are missing and then fire off another exploit
against user to further compromise system even though the game was already
Is that about right?
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
-----END PGP SIGNATURE-----