Kye-U's Browser Security Pack v4.37 for Proxomitron

Kye-U · #1 August 18th, 2005, 06:02 PM

Version 4.37 is Released!

Last Updated: August 18th, 2005 - 5:54 PM EST

What's New?

Quote:

[-Version 4.37-]

-Modified (IE: Remove Problematic CLASSIDs)
http://isc.sans.org/diary.php?date=2005-08-18

http://www.dhost.info/kyeu/proxo/for...hp?p=1115#1115

Download here!

MD5: 90F2203F7122717B7396EFA5E263CC1D

#2 August 18th, 2005, 06:03 PM

^_^ Thanks Kye-U

Kye-U · #3 August 19th, 2005, 06:27 PM

Version 4.38 is Released!

Last Updated: August 19th, 2005 - 6:25 PM EST

What's New?

Quote:

[-Version 4.38-]

-Removed (Javascript "charAt" Remover)
--Redundant (Already included in [IE: Nullify Vulnerable Javascript Functions])

http://www.dhost.info/kyeu/proxo/for...hp?p=1115#1115

Download here!

MD5: F6F5A70A8327B64A3FA69F7CB038DB51

Le Kibitzer · #4 August 20th, 2005, 01:48 AM

Kye-U,

Cheers.... for a job well done! =)

Kye-U · #5 August 20th, 2005, 01:43 PM

Thanks Le Kibitzer ^_^

It's certainly been less stressful for me to maintain this pack since most of the filters cover many exploits (as I have written them to be as generic as possible, with little false positives). I haven't really had to create any new filters since v4.32.

I thank you again for your support, and that I'll try my best to maintain this pack!

Rui · #6 August 21st, 2005, 12:24 PM

Kye-U

Thank you very much!!

Rui

Kye-U · #7 August 27th, 2005, 10:18 PM

v4.39 is now out ^_^

In this one, I fixed a few filter-placement problems, and tried my best to fix the currently popular IFRAME Buffer Overflow exploit (that is being used to spread the Bofra worm).

Version 4.39 is Released!

Last Updated: August 27th, 2005 - 10:01 PM EST

What's New?

Quote:

[-Version 4.39-]

-Added (Javascript "charAt" Remover [Kye-U])

-Added (IE: Remove Suspicious IFRAME (Possible Buffer Overflow Exploit) [Kye-U])
http://secunia.com/advisories/12959/

-Modified (IE: Nullify Vulnerable Javascript Functions)
--Removed (Javascript "charAt" Remover) Match and made it its own standalone filter (as it applied to all browsers)

http://www.dhost.info/kyeu/proxo/for...hp?p=1115#1115

Download here!

MD5: 7BE6F84A679066882B6619CFA010C978

Mrkvonic · #8 August 28th, 2005, 01:43 AM

Hi,
As usual, excellent work!
Cheers,
Mrk

Kye-U · #9 September 4th, 2005, 01:38 AM

Version 4.40 is Released!

Last Updated: September 4th, 2005 - 1:32 AM EST

What's New?

Quote:

[-Version 4.40-]

-Added (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--In response to the increase in Rotating Advertising Trojan Attacks
--Detects and Kills Connections to .pif, .bat, .com, .hta, .vbs, .cmd and .scr.

http://dhost.info/kyeu/proxo/forums/...hp?p=5601#5601

MD5: 9CFDB2FD39E7BF0BFBCDC6697D231141

Kye-U · #10 September 4th, 2005, 03:10 PM

Version 4.41 is Released!

Last Updated: September 5th, 2005 - 3:08 PM EST

What's New?

Quote:

[-Version 4.41-]

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Made more specific, removed false positives with search engines and webmail.

http://dhost.info/kyeu/proxo/forums/...hp?p=5604#5604

MD5: E5141A185C6280F037F83F3636C9859E

Kye-U · #11 September 6th, 2005, 10:45 PM

Version 4.42 is Released!

Last Updated: September 6th, 2005 - 10:43 PM EST

What's New?

Quote:

[-Version 4.42-]

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Rewrote match; should be much more efficient and rid of most false-positives.

http://dhost.info/kyeu/proxo/forums/...hp?p=5615#5615

MD5: 1730ED5C3F86520354175808E8F202A3

Kye-U · #12 September 7th, 2005, 05:14 PM

Version 4.43 is Released!

Last Updated: September 7th, 2005 - 5:13 PM EST

What's New?

Quote:

[-Version 4.43-]

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Added more suspicious extensions, and a Confirm box to either accept the connection, or to kill it.

http://dhost.info/kyeu/proxo/forums/...hp?p=5628#5628

MD5: D52FB47213437C98AF744BD5ACDE32BD

citrus1927 · #13 September 9th, 2005, 01:53 AM

Please help. When I go to the download link on the proxo forum and click it I get a "403 forbidden" and then a redirect to deluxe hosting site. How do I get the latest pack from Kye-u?
Thanks

Kye-U · #14 September 9th, 2005, 04:09 PM

Citrus, it should work. Please disable Proxomitron (if you are spoofing your referrer or something).

Try this URL and download it from there:

http://dhost.info/kyeu/paFileDB/pafi...ion=file&id=57

#15 September 9th, 2005, 04:11 PM

Here you go - If the above posted by Kye-U doesn't help (attached) ... I don't know why your getting redirected like that ... can you post the link you get redirected to ... be sure to disable it by replacing http:// with -> hxxp://

Kye-U · #16 September 9th, 2005, 04:52 PM

Version 4.44 is Released!

Last Updated: September 9th, 2005 - 4:50 PM EST

What's New?

Quote:

[-Version 4.44-]

-Added (Mozilla: "Host:" Buffer Overflow Exploit [Kye-U])
http://security-protocols.com/adviso...7-advisory.txt
http://secunia.com/advisories/16764/

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Removed Alert Box (when connection killed), and reworded the message.

http://dhost.info/kyeu/proxo/forums/...hp?p=5651#5651

MD5: F84B03EE3789EB53B518FB0E59B61B9F

ronjor · #17 September 9th, 2005, 04:55 PM

Thanks Kye-U.

Kye-U · #18 September 9th, 2005, 05:03 PM

No problem Ronjor ^_^

Bubba · #19 September 9th, 2005, 08:22 PM

Users of this new version can test it on this URL to make sure it works:>> http://www.security-protocols.com/firefox-death.html

citrus1927 · #20 September 10th, 2005, 02:37 AM

Thanks, dog. Figured out the problem(fw blocking referrers). I got the pack now.

JW Clements · #21 September 11th, 2005, 01:59 PM

Quote:

Originally Posted by Kye-U

Version 4.44 is Released!

Last Updated: September 9th, 2005 - 4:50 PM EST

I just discovered that 4.44 blocks attempts to update Lavasoft AdAware. Took a few seconds to remember that I'd just updated from 4.31 to 4.44, so I shut down Proxomitron and the AdAware was able to connect.
With 4.44 it opened the update window but then seemed to be in some kind of loop(?) or at least stalled. I can't 'retest' this theory until there's a new AW update available. Has anyone else seen this?
Jim

Kye-U · #22 September 11th, 2005, 02:15 PM

It must be the filter "URL-Killer: Kill Suspicious Extensions [Kye-U] (Out)".

Can you post up a log of when you attempt to update Ad-Aware so I can see what the URL is or what filters are matching?

Thanks

Kye-U · #23 September 11th, 2005, 02:26 PM

Here's my Log file of when I update Lavasoft Ad-Aware SE:

Quote:

+++GET 10928+++
GET /public/wu.dat HTTP/1.1
Host: download.lavasoft.de.edgesuite.net
User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)
Connection: keep-alive
Accept-Encoding: gzip, x-gzip, deflate
RESP 10928 : Content-Type: Filter True: text/plain

+++RESP 10928+++
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 08 Sep 2005 14:22:00 GMT
ETag: "a3f182-273-43204908"
Accept-Ranges: bytes
Content-Length: 627
Content-Type: text/plain; PrxMsg=Filter True
Date: Sun, 11 Sep 2005 18:24:19 GMT
X-Cache: MISS from ipcop.workgroup
Connection: keep-alive
Cache-Control: public, max-age=86400
Match 10928: Top All Mark: Start 4.07.11 (multi) [sd] (d.r)
Match 10928: Top All Mark: End 3.12.08 [sd] (d.r)
Match 10928: Top JS Mark: Start 4.10.13 (multi) [sd] (d.r)
Match 10928: Top JS: Mark End 3.12.08 [sd] (d.r)
Match 10928: Top HTML Mark: Start 3.12.08 (multi) [sd] (d.r)
Match 10928: Top HTML Mark: End 3.12.08 [sd] (d.r)
+++CLOSE 10928+++

+++GET 10929+++
GET /public/defs.ref HTTP/1.1
Host: updates.ls-servers.com
User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)
Connection: keep-alive
Accept-Encoding: gzip, x-gzip, deflate
RESP 10929 : Content-Type: Filter True: text/plain

+++RESP 10929+++
HTTP/1.1 200 OK
Date: Sun, 11 Sep 2005 18:24:21 GMT
Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.0 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a
Last-Modified: Thu, 08 Sep 2005 14:23:49 GMT
ETag: "f807f-7e776-43204975"
Accept-Ranges: bytes
Content-Length: 518006
Content-Type: text/plain; PrxMsg=Filter True
X-Cache: MISS from ipcop.workgroup
Connection: keep-alive
Cache-Control: public, max-age=86400
Match 10929: Top All Mark: Start 4.07.11 (multi) [sd] (d.r)
Match 10929: Top All Mark: End 3.12.08 [sd] (d.r)
Match 10929: Top JS Mark: Start 4.10.13 (multi) [sd] (d.r)
Match 10929: Top JS: Mark End 3.12.08 [sd] (d.r)
Match 10929: Top HTML Mark: Start 3.12.08 (multi) [sd] (d.r)
Match 10929: Top HTML Mark: End 3.12.08 [sd] (d.r)
+++CLOSE 10929+++

And it updated fine.

JW Clements · #24 September 11th, 2005, 03:50 PM

Quote:

Originally Posted by Kye-U

Here's my Log file of when I update Lavasoft Ad-Aware SE:

And it updated fine.

Here they are, see my note in the middle about repetitions removed.

Edit: these are the AAW logs, they don't look like yours though....

Jim
------------------
9-11-2005 10:47:53 AM...

Verbinden mit 127.0.0.1.
Verbunden.
Chunk gestartet
9-11-2005 10:47:57 AM...

9-11-2005 10:47:57 AM...

9-11-2005 10:47:57 AM...

Verbindung zu 127.0.0.1 wird getrennt.
Nicht verbunden.

New definitions file available!
Build:SE1R65 08.09.2005 08.09.2005

News:Ad-Aware SE 1.06 released!
Read all details about how to obtain it here... (http://www.lavasoft.de/news/product/info/)

Verbinden mit 127.0.0.1.
Verbunden.
Chunk gestartet
9-11-2005 10:48:04 AM...

9-11-2005 10:48:04 AM...

9-11-2005 10:48:04 AM...

there were a lot of these so I clipped most of them to be able to post <<<<< Jim's note

9-11-2005 10:48:15 AM...

Verbindung zu 127.0.0.1 wird getrennt.
Nicht verbunden.
Installing Update...

9-11-2005 10:48:19 AM Failed

Kye-U · #25 September 11th, 2005, 03:58 PM

Sorry JW, what I meant was a Proxomitron Log File. To do this, open Proxomitron and click on "Log Connections". Then attempt to do an update in Ad-Aware and then copy/paste the entries in the Proxomitron Log Window here

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search