Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise

Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible. Through the joint effort of Michael Evanchik and Paul from Greyhats Security, a very critical vulnerability has been developed that can compromise a user’s system without the need for user interaction besides visiting the malicious page. The vulnerability is not actually a vulnerability in itself, but rather it is uses multiple known holes in SP2 including Help ActiveX Control Related Topics Zone Security Bypass Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting Vulnerability.


Vulnerable Systems:
 * Microsoft Internet Explorer 6.0
 * Microsoft Windows XP Pro SP2
 * Microsoft Windows XP Home SP2


Proof of Concept:
See a proff of concept of the above code at: http://freehost07.websamba.com/greyhats/sp2rc.htm


 * If an error is shown, press OK. This is normal.
 * Notice in your startup menu a new file called Microsoft Office.hta. When run, this file will download and launch a harmless executable (which includes a pretty neat fire animation)


User Recommendations:
 * Disable HTA files
 * Disable Active Scripting in Internet Explorer


http://www.securiteam.com/windowsntfocus/6B00O2KC0C.html

Browsers’ FTP Client can be Used to Send Mail

Both Internet Explorer and Konqueror can be tricked into sending mail through its FTP client without any more user interaction than loading a page.


Vulnerable Systems:
 * Internet Explorer version 6 SP1
 * Konqueror version 3.2


Immune Systems:
 * Mozilla Firefox version 1.0


Both Internet Explorer and Konqueror will accept %0a and %0d in URLs. In FTP URLs, it will accept them in the username part of the URL. Due to the similarity between the FTP and SMTP protocols, this can be used to send mail.


Danger:
Spammers could host websites that contain images causing website visitors to spam more people. There are probably other protocols that the FTP client could be used to maliciously access.


http://www.securiteam.com/securitynews/6E00R2KC0C.html

Mozilla Buffer Overflow in Processing NNTP URLs Lets Remote Users Execute Arbitrary Code

Version(s): 1.7.3
 
Description:  A heap overflow vulnerability was reported in Mozilla in the processing of NNTP URLs. A remote user can execute arbitrary code on the target system.


Maurycy Prodeus of iSEC Security Research reported that a remote user can create a specially crafted ‘news://’ URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target user’s system. The code will run with the privileges of the target user.


The flaw resides in the *MSG_UnEscapeSearchUrl() function in ‘nsNNTPProtocol.cpp’.


The original advisory is available at: http://isec.pl/vulnerabilities/isec-0020-mozilla.txt
 
Impact:  A remote user can create a URL that, when loaded by the target user, will execute arbitrary code on the target user’s system with the privileges of the target user.
 
Solution:  The vendor has issued a fixed version (1.7.5), available at: http://www.mozilla.org/products/mozilla1.x/


http://securitytracker.com/alerts/2004/Dec/1012726.html

Remote code execution with parameters without user interaction, even with XP SP2

ShredderSub7 SecExpert wrote:


“——————Which systems are vulnerable?——–
Any system running any Microsoft Windows XP edition with Internet Explorer 6 or higher, even with SP2 applied.
Any system running any Microsoft Windows Server 2003 edition with Internet Explorer 6 or higher.


——————How does this exploit work?———–
The problem with Internet Explorer is that it doesn’t set any restrictions on web pages that request opening a Windows Help file, compiled with HTML Help.


Without a restriction, we can (in Internet Explorer) easily command to open any local web page stored on a victim’s computer, including web pages that are founded in Windows Help files (with extension .CHM).


Proof of concept was provided.


More info in http://securityfocus.com/archive/1/385573/2004-12-26/2005-01-01/0

Scripting Vulnerabilities in Indian Email Providers

The email services of several big Indian portals are susceptible to scripting attacks i.e., malicious code can be embedded by attackers into email messages, that, when received by unsuspecting users, can cause harmful effects. The services are Rediffmail.com, Indiatimes.com, Sify.com. The combined user base of these services runs into millions and all of these users are vulnerable. I’ve known about most of these vulnerabilities for years now and I am now releasing them because many are being massively exploited in the wild. All attempts to contact the vendors were unfruitful.


Details 


It is possible to embed malicious scripts in an ordinary email to users of these services because of certain flaws in their anti-scripting filters. Since, these filters are not as robust as the filters used by service providers like Yahoo and Hotmail, many more flaws, similar to those detailed here, are undoubtedly present in these services. Some of the attacks possible through exploitation of these flaws:


1. User names and passwords can be stolen. Spoofed login pages are one of the many methods to do so
2. Web pages belonging to the portals can be spoofed, including the shopping cart system
3. Any action that the legitimate user can take can also be taken by the malicious code. Cookies can be stolen
4. Malicious programs can be executed when combined with browser vulnerabilities
5. Force-feeding websites to users. Spammers, phishers and scammers can redirect users to their own pages
6. A malicious worm can be created which can traverse through the entire user base and cause destruction
7. Users can be locked out of their inboxes


Technical details:


Rediffmail (http://rediffmail.com)


Rediffmail has the most robust security system among all three. However, it is still susceptible to several attacks


Indiatimes Mail (http://email.indiatimes.com):
Indiatimes email does not have a scripting filter in place. This means all HTML tags including scripts can be embedded into the email without any security obstacles.


Vendor status:
Several unsuccessful attempts have been made to contact the vendors. Emails alerts did not receive responses.


Complete details in http://www.securiteam.com/securitynews/6X00K20C1U.html

Lycos Free Email Cross-Site Scripting Vulnerability

Lycos’s Free Email service “allows users to have their own web based email account very much like Hotmail”. A cross site scripting vulnerability in Lycos’s Free Email service allows an attacker to steal a user’s cookie allowing him full access to his Lycos email account. Further, due to a flaw in the way Lycos handles cookies, even if the user being attacked changes his password, the attacker can still gain access to his account as the cookie will remain valid


Proof of Concept was provided.


http://www.securiteam.com/securitynews/6A00N20C1C.html



 

Netcraft Anti-Phishing Toolbar Available for Download

Another security program that is interesting to try and I think one feature that is attractive with this toolbar is… user can report a phished URL to help other people because once confirmed it is a phished URL, it will be blocked so other users will not become a victim


Netcraft Anti-Phishing Toolbar Available for Download


“The Netcraft Toolbar uses Netcraft’s enormous databases of web site information to show you all the attributes of each site you visit on the Web, including the sites’ hosting location, country, longevity and popularity.


Toolbar features include:
Clear display of sites’ hosting location at all times helps you validate fraudulent urls (e.g. the main online banking site of a large US bank is unlikely to be hosted in the former Soviet Union).


Once you report a phishing URL, it is blocked for other community members subsequently accessing it. The leverage of widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) is utilized to expedite blocking of the fraud site.


Natively traps cross site scripting and other suspicious urls containing characters which have no common purpose other than to deceive.
Netcraft supervisor validation is used to contain the impact of any false reporting of urls.


Display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls to disguise location.


Happily coexists with Google and other Toolbars.”


Read more in http://news.netcraft.com/archives/2004/12/28/netcraft_antiphishing_toolbar_available_for_download.html


or http://toolbar.netcraft.com/


A tutorial is also available – http://toolbar.netcraft.com/help/tutorials/using.html

CleanCache Fails to Wipe Files

Impact:  Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 2.19
 
A vulnerability was reported in CleanCache. A local user can obtain files that have ostensibly been wiped from the computer.


WBG Links reported that a local user can invoke common data recovery tools to obtain files that should have been removed by CleanCache.


The vendor has been notified.
 
Impact:  A local user can recover files that have ostensibly been deleted.
Solution:  No solution was available at the time of this entry.


http://securitytracker.com/alerts/2004/Dec/1012701.html