Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability

["Fabio Pietrosanti (naif)" <fabio () pietrosanti it>]

On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:
>   In case anyone needs a SNORT rule to catch attempts to exploit this 
> vulnerability:
>
> #-----
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet 
> Explorer Object Data Remote Execution Vulnerability"; \
>         content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
>         nocase; flow:from_server, established; \
>         reference:cve,CAN-2003-0532; \
>         classtype:web-application-activity; rev:1;)
> #-----

This rules catch the response with the exploit's payload from the server that
may change depending on the exploits so matching the CLSID of WSH does not
detect the "vulnerability" beeing exploited but this specific exploits.

Altought there are many way of exploiting this vuln without using the Window
Scripting Host, it's possible to use it in many way like:

- VBScript

   CreateObject("WScript.Shell")

- JavaScript  

  new ActiveXObject("WScript.shell"); 

or like in the demostration with the <object> tag .

The only way to detect it is to look at the data sent by the client beeing
exploited ( which can probably bypassed with fancy mhtml base64 encoded e-mail
or with an e-mail with a link to a site available in https )

For an effective signature we need a regexp that will catch everything
that start with <object, reach the field data= and look at the end of the string inside 
"" matching everything that's NOT an unsafe extension ( .exe, .pif, .cab, etc, etc ) .

In perl should be something like:

/date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/   ( tnx Md ) 

Regards

--

Fabio Pietrosanti ( naif )
E-mail: fabio () pietrosanti it - naif () s0ftpj org - naif () sikurezza org
PGP Key available on my homepage: http://fabio.pietrosanti.it/
--
Security is a state of being, not a state of budget. rfp 
--