Re: DOS Exploit Executing programs
From: Bruce Chambers (bruce_a_chambers_at_h0tmail.com)
Date: 11/04/04
- Next message: Shenan Stanley: "Re: Raid 1 with XP and IC7g"
- Previous message: namniar: "Re: Microphone really quiet."
- In reply to: Tony: "DOS Exploit Executing programs"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 3 Nov 2004 19:41:56 -0700
Tony wrote:
> Hi, Every time I run Spybot-SD Resident it shows a DOS
> exploit.The fix I got follows:
>
> GreyMagic Security Advisory GM#001-IE
> By GreyMagic Software, Israel.
> 27 Feb 2002.
> Topic: DSO Exploit - Executing programs without Scripting
> or ActiveX.
>
> SPYBOT USERS FAQ:
> Q: Can you help me understand how to resolve the DSO
> Exploit issue?
>
> A: Unfortunately no, GreyMagic does not provide any
> support for this or any other issue we have revealed in
> our security research. Questions and help queries should
> be forwarded to Spybot or Microsoft. Emails concerning
> this issue are automatically filtered and cannot be read
> or acknowledged in any way.
>
> Q: Did you put this spyware / exploit / vulnerability on
> my computer?
>
> A: Absolutely not. GreyMagic detected this issue in
> Microsoft Internet Explorer and reported it to the public.
> GreyMagic does not produce nor will it ever produce
> spyware.
>
> The following text is a technical analysis of the
> vulnerability. This is the reason Spybot directed you
> here.
>
> Discovery date: 25 Feb 2002.
>
> Affected applications:
> Any application that hosts the WebBrowser control (5.5+)
> is affected since this exploit does not require Active
> Scripting or ActiveX. Some of these applications are:
>
> Microsoft Internet Explorer
> Microsoft Outlook
> Microsoft Outlook Express
> Introduction:
> In an advisory from Jan 10 2002 "The Pull" demonstrated
> how it is still possible to use an older bug (initially
> discovered by Dildog) in the <object> HTML element to run
> arbitrary commands.
>
> Although "The Pull"'s findings were interesting, his
> analysis of the re-found bug was erroneous, the problem
> does not lie within the Popup object, the problem is with
> dynamically inserted HTML fragments at any point in the
> document.
>
> All "createPopup" does is create a (featureless) window
> containing an empty HTML document, this does not pose a
> threat, but later on, that document has HTML injected to
> it (using innerHTML), which is the actual problem.
>
> For example, the following code will work just the same:
>
> <span id="oSpan"></span>
> <script language="jscript" defer>
> oSpan.innerHTML='<object classid="clsid:11111111-1111-
> 1111-1111-111111111111"
> codebase="c:/winnt/system32/calc.exe"></object>';
> </script>
> (Note: innerHTML is not the only property used to
> dynamically insert HTML to any element, it is also
> possible to use outerHTML, insertAdjacentHTML and more to
> gain the same results.)
>
> Discussion:
> So now that we identified the origin of the problem we can
> search for ways to dynamically insert HTML without using
> any Active Scripting at all. It will then become possible
> to use this bug in more "protected" environments, such as
> Microsoft Outlook or Internet Explorer with Active
> Scripting and ActiveX disabled.
>
> One of the exciting features that came along in IE4 was
> Data Binding; it enables developers to completely separate
> any application data from the presentation layer. The data
> sources (DSO) for Data Binding can be almost anything, CSV
> files (with TDC), HTML, XML and many more. Data Binding
> binds HTML elements (data consumers) such as div or span
> to the DSO without need for a single line of script code.
>
> We found out that when the "dataFormatAs" attribute is set
> to "HTML" on the consumer, Data Binding internally uses
> innerHTML in order to insert the data into the element
> (otherwise innerText is used).
>
> So all we need to do now is supply a DSO that contains the
> offending <object> element, the rest will be done for us
> by the Data Binding engine, no scripting needed.
>
> Exploit:
> In the following example we're using an XML data-island as
> our DSO and a span element as the data consumer. Using XML
> is especially comfortable because it can be embedded
> within the document, without need for external requests
> that may be stopped by the host application.
>
> <span datasrc="#oExec" datafld="exploit"
> dataformatas="html"></span>
> <xml id="oExec">
> <security>
> <exploit>
> <![CDATA[
> <object id="oFile" classid="clsid:11111111-
> 1111-1111-1111-111111111111"
> codebase="c:/winnt/system32/calc.exe"></object>
> ]]>
> </exploit>
> </security>
> </xml>
> Solution:
> There is no configuration-tweaking workaround for this
> bug, it will work as long as the browser parses HTML. The
> only possible solution must come in the form of a patch
> from Microsoft.
>
> Update - 3 Mar 2002
>
> Since the injected <object> runs in the "My Computer" Zone
> changing the Internet Zone's settings couldn't affect it,
> but changing the affected zone's settings will prevent
> this exploit from running.
>
> Here is the registry information:
>
> [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \
> CurrentVersion \ Internet Settings \ Zones \ 0]
> Change the value of "1004" (DWORD) to 3.
>
> Many thanks to Axel Pettinger and Garland Hopkins for this
> workaround.
>
> Tested on:
> IE5.5 Win98.
> IE5.5 NT4.
> IE6 Win2000.
> IE6 WinXP.
>
>
> Demonstration:
> We put together two proof-of-concept demonstrations:
>
> Important Note: If you run anti-virus software, it may
> complain when you try to run these. This does NOT mean
> that you have a virus now, or that you're affected or
> unaffected by this vulnerability.
>
> Simple: attempts to run "c:/winnt/system32/calc.exe".
> Advanced: lets the user pick what they want to run.
> Disclaimer:
> The information in this security advisory and any of its
> demonstrations is provided "as is" without warranty of any
> kind.
>
> Vulnerability details are provided strictly for
> educational and defensive purposes.
>
> However, my Registry value at
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
> \Internet Settings\Zones\0
>
> reads Name(ab) Type(REG_SZ) Date(appears blank)
> Is my machine vulnerable and if so what should I do?
> Many thanks
Don't worry about it; it's a false alarm.
The DSO exploit was patched long ago by IE Cumulative Update
MS02-015, in March of 2002. If you've installed this specific patch,
or any subsequent IE Cumulative Updates, IE Service Pack 1, or WinXP
SP2, you're safe. It would appear that the latest version of Spybot
S&D is only checking for Internet zone settings in the registry that
could be used as work-around protection, and not for the presence of
any corrective patches. Hopefully, the makers of Spybot will soon fix
this bug.
MS02-015 March 28, 2002 Cumulative Patch for Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;319182
If you like, you can test your system for this particular
vulnerability at this web site:
http://www.grey.com/security/advisories/gm001-ie/
The makers of SpyBot S&D have acknowledged the problem and will
fix it on their next update:
http://www.safer-networking.org/index.php?page=paragraphs&detail=currentfaqs
In the meantime, in SpyBot S&D, click Mode > Advanced > Settings >
Ignore Products > Security > DSO Exploit, to turn off the false alarm.
Some people have reported that the Spybot Detection rules dated 30
Aug 04, or newer, when used with SpyBot S&D 1.3, will fix this
problem. However, I've had inconsistent results with that particular
detection update; sometimes it reads clean, then later it will once
again find the DSO problem, and then it will read clean again, all on
the same machine, with no other changes made.
-- Bruce Chambers Help us help you: http://dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html You can have peace. Or you can have freedom. Don't ever count on having both at once. - RAH
- Next message: Shenan Stanley: "Re: Raid 1 with XP and IC7g"
- Previous message: namniar: "Re: Microphone really quiet."
- In reply to: Tony: "DOS Exploit Executing programs"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
