Browser exploit tests & alternative defenses

Browser exploit tests & alternative defenses

Poll Question:

All Browser makes & models are welcome. Put up all your defenses!

Hyperlink Poll speed = use your middle mouse button to click on each exploit example hyperlink if it is configured to open link in background, you will fly thru these tests. Right mouse click on hyperlink can achieve same result. Just remember to look at each result.

Exploit Examples as of 4/3/04 = 30 Total + a Browser Security Test (order = most recent or most challenging exploit first)

Alpha Exploits added after 4/3/04 = A-Z

______________________________

start Alpha Exploits:

Alpha exploit example A - IE Popup.show Mouse Event Hijacking exploit

Alpha exploit example B - Mouseover exploit

Alpha exploit example C.1 - IE JavaScript Desktop Spoofing exploit

Alpha exploit example C.2 - IE JavaScript Desktop downloading Spoofing exploit

Alpha exploit example D - Browser Popup tests

Alpha exploit example E - IE Drag and Drop Vulnerability <== proof of concept

Alpha exploit example F - IE Malformed IFRAME Remote Buffer Overflow Vulnerability

********* End Alpha Exploits *********

Start 30+ Poll Exploits:

Actual exploit example #1 JS.Exception.Exploit lockdowncorp

Actual exploit example #2 privacy.net test

Actual exploit example #3 NetBios MAC address lockdowncorp

Actual exploit example #4 PC Flank stealth test

Actual exploit example #5 DoS ping test lockdowncorp

Actual exploit example #6 File Download Extension Spoofing Test

Actual exploit example #7 All Remote Environment Test lockdowncorp

Actual exploit example #8 NetBios Privacy Test - Login & Computer Name lockdowncorp

Actual Exploit example #9 Malware forced Iframe <- malware is back! See Warning before taking this one!

Actual exploit example #10 AV Eicar test <--- Simple Eicar test (harmless code)

Actual exploit example #11 Internet Explorer Script Execution Vulnerabilities <-- click Go when u get there

Actual exploit example #12 Internet Explorer Script URL Cross-Domain Access Violation Vulnerability

Actual exploit example #13 Internet Explorer Unauthorized Clipboard Contents Disclosure Vulnerability <-- select some text and use copy command to get the selected text to your clip board before you take this test

Actual exploit example #14 URI Display Obfuscation Weakness

Actual exploit example #15 Cross-Domain Policy Vulnerability

Actual exploit example #16 Window.MoveBy/Method Caching Mouse Click Event Hijacking Vulnerability

don't forget to back up notepad.exe for exploit #17

Actual exploit example #17 IE CHM File Execution Weakness

Actual exploit example #18 IE URL Spoofing

Actual exploit example #19 Opera URI Handler Directory Traversal Vulnerability:

Opera users, highlight the green text line below (left mouse hold and drag from the "O" in Opera to the last "e" in .exe), then right click the highlighted line and select "go to url"

opera:/help/..%5c..%5c..%5cwinnt/notepad.exe

Actual exploit example #20 Firebird markLinkVisited Arbitrary Script Code Execution Vulnerability

Actual exploit example #21 IE Object Data exploit

Actual exploit example #24 IE java applet exploit

Actual exploit example #25 IE activex exploit

Actual exploit example #26 IE scrap object exploit

Actual exploit example #27 IE view-source exploit

Actual Exploit example #28 IE img element & dynsrc exploit

Actual Exploit example #29 IE Cascading Style Sheets (CSS)

Actual Exploit example #30 IE Vulnerable cached objects exploit

Browser Security Check <-- see note below b4 you click on this link

important note: Prior to running the Browser Security check, deactivate popup prevent software. I spoof as IE 'cause this will result in all vulnerability tests being performed (31 tests @ 4/3/04). If you run Privoxy, Proxomitron or Guidescope etc., adjust your filters so cookies, Java & JS are enabled.

Select "Only test for bugs specific to my type of browser" then press start test. Enjoy the ride!

That's it. See voting instructions in message area 2 (next post) below.

****************************************

S²:

peakaboo

_________________

broken exploit links:

Broken exploit example #22 IE RPC DCOM exploit

Broken exploit example #23 IE globalDgArg exploit

 

Re:IE vulnerabilities alternative defenses

This is message area 2:


message area 2 was revised to provide Poll Voting Instructions Only.


******************************

Poll Voting Instructions:

voting instructions for 3 categories of testers:

1) Those testing the exploits for the first time please complete all 30 exploits in message area 1 and take the Browser Security check for your browser then vote using Poll response 1 or 8.

2) Those who have been here before, and defeated all previous exploits #9 thru #30 + Browser Security Check, and have not voted before can use either poll response 1 if you fail to defeat all exploits or, poll response 8. The Poll won't allow you to vote again if you have already voted so post your results as I did.

3) Those who already failed 1 or more of exploits #9 thru #30 or the Browser Security check, please retake all 30 exploits + the Browser Security check, if you have not voted please select poll response 1. If you have already voted, sorry you are out of gas on the voting. You may instead post your results.


******************************

see message area 1 (previous post) for all exploit examples;

see post #17 below for links to more info on some of the vulnerabilities

 

Re:IE vulnerabilities alternative defenses

Browser updates by MS are critical in resolving these security issues for IE.

In some cases browser updates may not be adequate. These are the cases in which alternate defenses may be applicable.

Example: exploits 2 & 3 appear to still get through. Alternative defense for me is my AV.

exploit #1 can be defeated by proxo filter iframe killer.

 

Re:IE vulnerabilities alternative defenses

exploit #1 got me guess it's time to update my browser to see if this helps.

exploits #2 thru 4 defeated

 

Re:IE vulnerabilities alternative defenses

LWM,

I appreciate your putting the Admin. Warning message on the exploit page.

I remember the 1st time I ran exploit #1, my pulse rate quickened a bit.

exploit #1 may potentially be knocking many out of the box which could explain the lack of poll responses, so I'll move it down the exploit ladder and make it #4 instead of #1 and then highlight it as a difficult exploit.

 

Re:IE vulnerabilities alternative defenses

Strange none of the exploits are working without using any form of defence such as proxomitron on IE 6

 

Re:IE vulnerabilities alternative defenses

I just updated my IE5.5 browser with the latest cumulative patch Q818529 and the malware exploit still gets thru.

Also the other exploits were prevented not by the browser, but by other means.

Looks like MS has some work to do in fixing these security holes below 6. I guess they just say move to IE6, which probably has yet to be discovered security flaws.

 

Re:IE vulnerabilities alternative defenses

OK... did 1/2/3 no probs.. nothing happened... BUT... TEST 4.. ouch...

It tries to download a file, nothing wrong with that you may say.. however, it tries multiple times... I had over 160 "Download File" windows up before I could kill my browser in Task Manager...

ADVICE DO NOT TAKE TEST 4 LOL...

Cheers.

 

Re:IE vulnerabilities alternative defenses

Yep. I agree It suck up all my resources and I had to power off manualy.

 

Re:IE vulnerabilities alternative defenses

Hope you both read the admin warning from LowWaterMark and the note from me (peakaboo) about Exploit #4

Anyway the important thing is this is a relatively safe way to see if you are vulnerable to this type of attack. Now that you know you can do something about it if you choose to do so.

I stated at the outset:

Weird guest confirms IE6 patched is not vulnerable to this exploit even without proxo, but this may depend on your OS (win 9x may be vulnerable with or without IE6).

Ctrl+Alt+Del should kill if you get there fast enough

Guess the poll should now read:

I failed 1 or more of the initial exploits = 2

(possibly more I'm guessing those who fail exploit #4 and have a browser shut down do not come back to answer the poll)

 

Re:IE vulnerabilities alternative defenses

Last person to vote must be clairvoyant, since he/she already defeated vulnerabilities in addendum 1 thru 3 which have not been posted yet.

Moderators, if possible please move the 1 vote from:

I defeated initial exploits and addendum 1 thru 3 vulnerabilities

to:

I defeated all 4 exploits listed with the initial poll posted on 8/1/2003

Also if there is a way to lock part of the voting options until I am ready to use, let me know. If I could I would lock options 4 thru 8 till I am ready to use.

I added addendum 1 today with 6 new exploits to try.

 

Re:IE vulnerabilities alternative defenses

I could not vote again without registering under a different user name, so I decided to post my result:

poll option #3 (I defeated initial exploits and addendum 1 vulnerabilities ) = 1 vote from me

 

Re:IE vulnerabilities alternative defenses

I ran Opera against all 10 exploits, and it defeated 9 out of the 10 exploits.

It had a little problem with exploit #4. I did not get multiple popup windows. But when I was prompted to cancel the download, Opera froze. Had to restart my pc.

Maybe a setting tweak. Not sure at this point.

Very Nice Browser though.

I think I'll keep.

 

Re:IE vulnerabilities alternative defenses

BTW, Opera defeats all ten exploits, the force iframe exploit #4 is defeated by tweaking your preferences (under page style - uncheck or disable inline frames)

Not really thread hijacking, since the point of the above exploits is alternative defenses against IE exploits. In this case it is in the form of using a different Browser (Opera) which appears to have its defenses in order to defeat these exploits.

10 out of 10 IE exploits defeated by Opera - not bad.

My Post above (Peakaboo1) regarding Opera's performance on IE vulnerabilities does fit here.

These are IE exploits defeated by alternative defense (using a browser not susceptible to these IE exploits).

 

Re:IE vulnerabilities alternative defenses

4/3/04 update =

added 8 exploit examples

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 30 exploit examples, and Browser security Check before answering the poll.


Also see important Admin Note from LowWaterMark


Enjoy!

 

Re:IE vulnerabilities alternative defenses

additional info on some of the exploits:

alpha exploits reference info:

http://www.securityfocus.com/bid/10690/discussion/

http://www.securityfocus.com/bid/3469/discussion/

Poll exploit reference info:

info about exploits 1, 3, 5, 7 & 8: http://stealthtests.lockdowncorp.com

info about exploit 2: http://privacy.net

info about exploit 4: http://www.pcflank.com/scanner1s.htm

info about exploit 6: https://www.wilderssecurity.com/showthread.php?t=11975;start=msg150423#msg150423

info about exploit #9: http://www.malware.com <== malware debated commercialization of this resource,
but as of 2/1/04 they decided to do the right thing and allow free access to this info and the malware exploit
example.

note from peakaboo about Exploit #9:

Exploit #9 if you are vulnerable (IE 5.5 and below & Win9x) & it runs on your pc may cause your pc to not respond as LWM has indicated - really cool exploit flaming screen appears, use Ctrl+Alt+Del to kill the .exe which should appear multiple times

(if you are not familiar with what I am talking about and your OS is win9x & browser is IE 5.5 or below you may want to skip this exploit and assume you are vulnerable and mark the poll as having failed at least 1 exploit)

info about Exploit #10: http://www.eicar.org/anti_virus_test_file.htm

purpose of exploit #10: to see if your AV catches harmless Eicar code in cache before it officially makes it on to your hard drive (Important note: eicar.org cannot be held responsible when these files or your AV scanner in combination with these files cause any damage to your computer.)

info about Exploit #11: http://www.securityfocus.com/bid/8577/discussion/

info about Exploit #12: http://www.securityfocus.com/bid/9013/discussion/

info about Exploit #13: http://www.securityfocus.com/bid/9643/discussion/

info about Exploit #14: http://www.securityfocus.com/bid/9182/discussion/

info about Exploit #15: http://www.securityfocus.com/bid/9109/discussion/

info about Exploit #16: http://www.securityfocus.com/bid/9108/discussion/

info about Exploit #17: http://www.securityfocus.com/bid/9320/discussion

info about Exploit #18: http://www.secunia.com/advisories/10395

info about Exploit #19: http://www.securityfocus.com/bid/9021/discussion

info about Exploit #20: http://www.securityfocus.com/bid/9329/discussion

info about Exploit #24: http://www.finjan.com/mcrc/demos/java.cfm

info about Exploit #25: http://www.finjan.com/mcrc/demos/activex.cfm

info about Exploit #26: http://www.finjan.com/mcrc/demos/object.cfm

info about Exploit #30: http://security.greymagic.com/adv/gm012-ie/

 

Re:IE vulnerabilities alternative defenses

j4tr:

I have made a switch to an alternative browser.

Testing Opera 7.2 against the 12 IE vulnerabilities & the Browser Security test, my vote is result #4 = I defeated initial exploits and addendum 1 & 2 vulnerabilities.

stubbed my toe on walla, but when I get a chance I'll take a look at that again.

Firebird and other alternative browsers feel free to vote and or post your responses.

Firebird users sure are quite on this thread

I'll be taking a look at Firebird once it gets out of beta, but I really like Opera.

j4tr = just for the record

 

Re:IE vulnerabilities alternative defenses

OK i'm the Firebird guinnea pig:

Defeated all! (including extra credits) using Guidescope proxy.

 

Re:IE vulnerabilities alternative defenses

Hi libbo1,

Thanks for sharing your Firebird results.

1) If you really want to be a guinea pig try exploit #s 4, 5, 7, 9, 10, 12 and the 2 Super Ads again without Guidescope and post your results. You are under no obligation to do so of course, and this is not a challenge. Do it if you have time and only in the interest of sharing and your own intellectual curiosity.

2) Also, if Guidescope has a log of the filters which are triggered on the super ads, I would be interested in knowing what was triggered. Your response may help facilitate debugging the proxo kicka$$ Ad pages.

 

Re:IE vulnerabilities alternative defenses

lol u wanna me to run naked down the street! Guidescope is very good at blocking ads and popups like about 100% Will shed my protective armor in the interest of the test and report back. As for a filter log, it's proprietary info Guidescope doesnt share with its users!

 

Re:IE vulnerabilities alternative defenses

Not exactly

It may be a good exercise for you to see how Firebird does on its own in case someone figures out how to bring Guidescope down.

I appreciate your willingness to share.

 

Re:IE vulnerabilities alternative defenses

If you ever want to have some "fun", run all 30 (as of the date of this post) of the Browser Security Tests at the above referenced URL.

I was running Opera 7.2 almost naked (proxo disabled) and got dinged for 1 medium risk Vulnerability out of 30, have no idea why... yet...

Browser Security Test Results

Dear Customer,

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities   0   
Medium Risk Vulnerabilities   1   
Low Risk Vulnerabilities   0

also not sure what the point of this test was:

Test moz91043 - begin

but it sure was long

LOL

********************************
interesting stats on this test

from the link:

Want to know how everyone else is doing on Browser Test? Check our statistics.

**********************

have fun...

 

Re:IE vulnerabilities alternative defenses

hard to draw any inferences from the above Browser Security stats, it would be nice to see a breakout of vulnerabilties by browser type...

Firebird naked run

 

Re:IE vulnerabilities alternative defenses

Mozilla Firebird 0.7+ has currently not been tested by http://bcheck.scanit.be/bcheck/ . But I ran all 30 tests anyways. I do not use any web/content filtering apps.

Browser Security Test Results

Dear Customer,

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities   0
Medium Risk Vulnerabilities   0
Low Risk Vulnerabilities   0

New bugs keep coming! Sign up for announcements of new tests.

Questions about the test? Read the FAQ.

Still having questions? Send us your feedback.

Want to know how everyone else is doing on Browser Test? Check our statistics.