Bugtraq mailing list archives
RE: EEYE: Internet Explorer Object Data Remote Execution Vulnerability
From: "Drew Copley" <dcopley () eeye com>
Date: Wed, 27 Aug 2003 10:03:29 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you wish, you can deny any traffic using: Content-Type: application/hta The fact is even IIS does not have that content type built in, and it does not need it. Further, the need for anyone to legitimately download a HTML Application would be extremely rare. (This is not saying HTML Applications are useless.) Object tags can have unsafe extensions in the data, for instance, base-64 encoded data is rather popular. (For whatever reason Frontpage automatically puts base-64 encoded data in some activex.)
-----Original Message----- From: Fabio Pietrosanti (naif) [mailto:fabio () pietrosanti it] Sent: Monday, August 25, 2003 2:45 AM To: BUGTRAQ Subject: Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:In case anyone needs a SNORT rule to catch attempts toexploit thisvulnerability: #----- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet Explorer Object Data Remote Execution Vulnerability"; \ content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \ nocase; flow:from_server, established; \ reference:cve,CAN-2003-0532; \ classtype:web-application-activity; rev:1;) #-----This rules catch the response with the exploit's payload from the server that may change depending on the exploits so matching the CLSID of WSH does not detect the "vulnerability" beeing exploited but this specific exploits. Altought there are many way of exploiting this vuln without using the Window Scripting Host, it's possible to use it in many way like: - VBScript CreateObject("WScript.Shell") - JavaScript new ActiveXObject("WScript.shell"); or like in the demostration with the <object> tag . The only way to detect it is to look at the data sent by the client beeing exploited ( which can probably bypassed with fancy mhtml base64 encoded e-mail or with an e-mail with a link to a site available in https ) For an effective signature we need a regexp that will catch everything that start with <object, reach the field data= and look at the end of the string inside "" matching everything that's NOT an unsafe extension ( .exe, .pif, .cab, etc, etc ) . In perl should be something like: /date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/ ( tnx Md ) Regards -- Fabio Pietrosanti ( naif ) E-mail: fabio () pietrosanti it - naif () s0ftpj org - naif () sikurezza org PGP Key available on my homepage:
http://fabio.pietrosanti.it/ - -- Security is a state of being, not a state of budget. rfp - -- -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP0zkYAkWkugjEnC3EQLRzQCfUA4X7X4q/kxhTTNpblyo17RHOwMAoMNy t87vTJIMNFpKj6/ESNba3hd0 =RMqw -----END PGP SIGNATURE-----
Current thread:
- EEYE: Internet Explorer Object Data Remote Execution Vulnerability Marc Maiffret (Aug 21)
- Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability Nerijus Krukauskas (Aug 22)
- Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability Fabio Pietrosanti (naif) (Aug 26)
- RE: EEYE: Internet Explorer Object Data Remote Execution Vulnerability Drew Copley (Aug 28)
- Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability Fabio Pietrosanti (naif) (Aug 26)
- <Possible follow-ups>
- EEYE: Internet Explorer Object Data Remote Execution Vulnerability Marc Maiffret (Aug 21)
- Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability http-equiv () excite com (Aug 21)
- RE: EEYE: Internet Explorer Object Data Remote Execution Vulnerability Menashe Eliezer (Aug 22)
- RE: EEYE: Internet Explorer Object Data Remote Execution Vulnerability Drew Copley (Aug 28)
- Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability Nerijus Krukauskas (Aug 22)