Hello,

I was just informed about this exploit with high potential, called "zones flooding" which works perfectly reliable and
doesn't need any scripting or Active-X. Check out these bugtraq postings:

http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00157.html
http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00178.html

The second one has a URL to a fully working exploit page for XP. It will eventually (depends on the speed of your PC) grab your video ram with a well-known NT VGA exploit. [If it's based on the old proof-of-concept by Robert Schlabbach (RASPPPoE) it should give control back after a minute or so (right)]
This clearly shows the potential to inject any code of your choice and run it within the user's permissions.
The given workarounds are to strip execution permissions for that folder (which isn't easily done because it doesn't have a Security tab), that works in stopping the code execution but also prohibits any further file downloads or viewing the Temporary Internet Files folder, but simple browsing still works. The other workaround is to enforce a Software Policy Restriction for that folder, which seems to be the better choice, but I have only a vague idea how to achieve this.

Cheers,

Nice catch, Jack.

Posted it to DSL Security forum.

Tried it here and it did an outstanding job of throwing up multiple d/l request windows and then shutting down the browser.

We probably all need simple instructions on how to "change NTFS permission not to
allow run executable code _or_ create path rule in Software Restriction
Policy that prohibits programs from run from temporary internet files." ! Pete

http://www.dslreports.com/forum/remark,6899138~root=security,1~mode=flat for instructions on how to at least blunt the impact of the vulnerability (See? It pays to be dumb sometimes! ;D ). Pete

-{ Quote: " quoting: spy1 link=board=18;threadid=9317;start=0#msg62176 date=1053539416]
http://www.dslreports.com/forum/remark,6899138~root=security,1~mode=flat for instructions on how to at least blunt the impact of the vulnerability (See? It pays to be dumb sometimes! ;D ). Pete
" }-
Nite spy 1

Excellent even if not perfect.

BTW I posted on the same thread a tip to install the security tab on WinXP Home.

tnx,

This exploit worked perfectly on my Windows98SE.
Many, many browser windows, and then the .exe (if the .exe was an animated picture of flames). After that, my whole computer froze.
"Check for signatures on downloaded programs" is checked in my Internet Options, so that fix (from DSLR), doesn't seem to work on Win98.

Regards,
Douglas

-{ Quote: " quoting: JacK link=board=18;threadid=9317;start=0#msg60972 date=1053189260]
Hello,

I was just informed about this exploit with high potential, called "zones flooding" which works perfectly reliable and
doesn't need any scripting or Active-X. Check out these bugtraq postings:

http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00157.html
http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00178.html

The second one has a URL to a fully working exploit page for XP. It will eventually (depends on the speed of your PC) grab your video ram with a well-known NT VGA exploit. [If it's based on the old proof-of-concept by Robert Schlabbach (RASPPPoE) it should give control back after a minute or so (right)]
This clearly shows the potential to inject any code of your choice and run it within the user's permissions.
The given workarounds are to strip execution permissions for that folder (which isn't easily done because it doesn't have a Security tab), that works in stopping the code execution but also prohibits any further file downloads or viewing the Temporary Internet Files folder, but simple browsing still works. The other workaround is to enforce a Software Policy Restriction for that folder, which seems to be the better choice, but I have only a vague idea how to achieve this.

Cheers,


" }-

Anyone know if the exploit mentioned by Jack above is the same as the one discussed here:

http://www.securityfocus.com/archive/1/321662/2003-05-13/2003-05-19/0

if it is the same exploit, there appears to be some solutions discussed here (includes 2 proxo solutions also):

http://asp.flaaten.dk/proxo/topic.asp?TOPIC_ID=1012

exploit sounds similar (flooding ie 6) but the test references are different. If same exploit will the solutions mentioned at asp.flaaten work against the tests at:

http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00157.html

http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00178.html


:o

Hi peakaboo,

-{ Quote: "Anyone know if the exploit mentioned by Jack above is the same as the one discussed here:
http://www.securityfocus.com/archive/1/321662/2003-05-13/2003-05-19/0
" }-

Yes, it's the same.
Good catch, and thanks.

Regards,
Douglas

-{ Quote: " quoting: Douglas link=board=18;threadid=9317;start=0#msg62423 date=1053635358]
Hi peakaboo,

-{ Quote: "Anyone know if the exploit mentioned by Jack above is the same as the one discussed here:
http://www.securityfocus.com/archive/1/321662/2003-05-13/2003-05-19/0
" }-

Yes, it's the same.
Good catch, and thanks.

Regards,
Douglas
" }-

Hi Douglas,

Thanks for confirming it's the same exploit.

For those trying the proxo solution, unless you are using proxo 4.5 beta suggest you go with Hpguru's Iframe killer.

Hp's solution worked for me, defeated the malware test without a problem.

I tried JD's

"Block: Forced iFrame Content {4.ie.ex} - Prox 4.5"

but since I'm not using the 4.5 beta it did not work - I like JD's solution and will keep it in the arsenal when the new proxo 4.5 is released to the public.

I'll look into the other suggestions if I get a chance just for grins. ;D

update: re proxo solutions - JD's solution to kill the page after 5 iframes IMO seems like a better solution (definitely will check out JD's filter after 4.5 proxo comes out).

Using HP's filter it has to kill 1999 iframes before defeating the malware test (goes pretty quick, but imagine if the exploit had 10,000 iframes or more).

not a pretty thought :o

-{ Quote: "

update: re proxo solutions - JD's solution to kill the page after 5 iframes IMO seems like a better solution (definitely will check out JD's filter after 4.5 proxo comes out).

Using HP's filter it has to kill 1999 iframes before defeating the malware test (goes pretty quick, but imagine if the exploit had 10,000 iframes or more).

not a pretty thought :o
" }-

Just dld the new release Proxo 4.5 (thanks for the update notice CrazyM also big Thnks to SRL for proxo)

Tried JD's filter against the malware.com exploit and it worked beatifully.

when I ran the exploit, proxo gives a warning of the exploit, 5 dl windows later (cancel these) and the page is killed and so is the exploit!

nice job JD

here is the filter again (remember only works with the new proxo 4.5 ):

[Patterns]
Name = "Block: Forced iFrame Content {4.ie.ex} - Prox 4.5"
Active = FALSE
URL = "$TYPE(htm)"
Bounds = "<iframe*>(*</iframe>|)"
Limit = 1000
Match = "<iframe*src=$AV(*)*$SET(iframe=$GET(iframe)1)&$TST(iframe=111111)"
Replace = "\k$ALERT(Possible Iframe Exploit Blocked!)$SET(iframe=)"

note if you run proxo 4.4 or lower use HpGuru's filter referenced in a previous post.