Browser exploit tests & alternative defenses

Discussion in 'polls' started by peakaboo, Aug 2, 2003.

?

See detailed question below; Fill in your results here:

  1. I failed 1 or more of the initial exploits

    2 vote(s)
    22.2%
  2. I defeated all 4 exploits listed with the initial poll posted on 8/1/2003

    3 vote(s)
    33.3%
  3. I defeated initial exploits and addendum 1 vulnerabilities

    0 vote(s)
    0.0%
  4. I defeated initial exploits and addendum 1 & 2 vulnerabilities

    0 vote(s)
    0.0%
  5. I defeated initial exploits and addendum 1 thru 3 vulnerabilities

    0 vote(s)
    0.0%
  6. I defeated initial exploits and addendum 1 thru 4 vulnerabilities

    0 vote(s)
    0.0%
  7. I defeated initial exploits and addendum 1 thru 5 vulnerabilities

    0 vote(s)
    0.0%
  8. I defeated initial exploits and addendum 1 thru 6 vulnerabilities

    4 vote(s)
    44.4%
Thread Status:
Not open for further replies.
  1. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Browser exploit tests & alternative defenses

    Poll Question:

    All Browser makes & models are welcome. Put up all your defenses!

    Hyperlink Poll speed = use your middle mouse button to click on each exploit example hyperlink if it is configured to open link in background, you will fly thru these tests. Right mouse click on hyperlink can achieve same result. Just remember to look at each result.

    Exploit Examples as of 4/3/04 = 30 Total + a Browser Security Test (order = most recent or most challenging exploit first)

    Alpha Exploits added after 4/3/04 = A-Z


    ______________________________

    start Alpha Exploits:

    Alpha exploit example A - IE Popup.show Mouse Event Hijacking exploit

    Alpha exploit example B - Mouseover exploit

    Alpha exploit example C.1 - IE JavaScript Desktop Spoofing exploit

    Alpha exploit example C.2 - IE JavaScript Desktop downloading Spoofing exploit

    Alpha exploit example D - Browser Popup tests

    Alpha exploit example E - IE Drag and Drop Vulnerability <== proof of concept

    Alpha exploit example F - IE Malformed IFRAME Remote Buffer Overflow Vulnerability

    ********* End Alpha Exploits *********

    Start 30+ Poll Exploits:

    Actual exploit example #1 JS.Exception.Exploit lockdowncorp

    Actual exploit example #2 privacy.net test

    Actual exploit example #3 NetBios MAC address lockdowncorp

    Actual exploit example #4 PC Flank stealth test

    Actual exploit example #5 DoS ping test lockdowncorp

    Actual exploit example #6 File Download Extension Spoofing Test

    Actual exploit example #7 All Remote Environment Test lockdowncorp

    Actual exploit example #8 NetBios Privacy Test - Login & Computer Name lockdowncorp

    Actual Exploit example #9 Malware forced Iframe <- malware is back! See Warning before taking this one!

    Actual exploit example #10 AV Eicar test <--- Simple Eicar test (harmless code)

    Actual exploit example #11 Internet Explorer Script Execution Vulnerabilities <-- click Go when u get there

    Actual exploit example #12 Internet Explorer Script URL Cross-Domain Access Violation Vulnerability

    Actual exploit example #13 Internet Explorer Unauthorized Clipboard Contents Disclosure Vulnerability <-- select some text and use copy command to get the selected text to your clip board before you take this test

    Actual exploit example #14 URI Display Obfuscation Weakness

    Actual exploit example #15 Cross-Domain Policy Vulnerability

    Actual exploit example #16 Window.MoveBy/Method Caching Mouse Click Event Hijacking Vulnerability

    don't forget to back up notepad.exe for exploit #17

    Actual exploit example #17 IE CHM File Execution Weakness

    Actual exploit example #18 IE URL Spoofing

    Actual exploit example #19 Opera URI Handler Directory Traversal Vulnerability:

    Opera users, highlight the green text line below (left mouse hold and drag from the "O" in Opera to the last "e" in .exe), then right click the highlighted line and select "go to url"

    opera:/help/..%5c..%5c..%5cwinnt/notepad.exe

    Actual exploit example #20 Firebird markLinkVisited Arbitrary Script Code Execution Vulnerability

    Actual exploit example #21 IE Object Data exploit

    Actual exploit example #24 IE java applet exploit

    Actual exploit example #25 IE activex exploit

    Actual exploit example #26 IE scrap object exploit

    Actual exploit example #27 IE view-source exploit

    Actual Exploit example #28 IE img element & dynsrc exploit

    Actual Exploit example #29 IE Cascading Style Sheets (CSS)

    Actual Exploit example #30 IE Vulnerable cached objects exploit

    Browser Security Check <-- see note below b4 you click on this link

    important note: Prior to running the Browser Security check, deactivate popup prevent software. I spoof as IE 'cause this will result in all vulnerability tests being performed (31 tests @ 4/3/04). If you run Privoxy, Proxomitron or Guidescope etc., adjust your filters so cookies, Java & JS are enabled.

    Select "Only test for bugs specific to my type of browser" then press start test. Enjoy the ride!


    That's it. See voting instructions in message area 2 (next post) below.

    ****************************************

    S²: :cool:

    peakaboo

    _________________

    broken exploit links:

    Broken exploit example #22 IE RPC DCOM exploit

    Broken exploit example #23 IE globalDgArg exploit
     
    Last edited by a moderator: Dec 12, 2004
  2. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    This is message area 2:


    message area 2 was revised to provide Poll Voting Instructions Only.


    ******************************


    Poll Voting Instructions:

    voting instructions for 3 categories of testers:

    1) Those testing the exploits for the first time please complete all 30 exploits in message area 1 and take the Browser Security check for your browser then vote using Poll response 1 or 8.

    2) Those who have been here before, and defeated all previous exploits #9 thru #30 + Browser Security Check, and have not voted before can use either poll response 1 if you fail to defeat all exploits or, poll response 8. The Poll won't allow you to vote again if you have already voted so post your results as I did.

    3) Those who already failed 1 or more of exploits #9 thru #30 or the Browser Security check, please retake all 30 exploits + the Browser Security check, if you have not voted please select poll response 1. If you have already voted, sorry you are out of gas on the voting. You may instead post your results.


    ******************************

    see message area 1 (previous post) for all exploit examples;

    see post #17 below for links to more info on some of the vulnerabilities
     
  3. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    Browser updates by MS are critical in resolving these security issues for IE.

    In some cases browser updates may not be adequate. These are the cases in which alternate defenses may be applicable.

    Example: exploits 2 & 3 appear to still get through. Alternative defense for me is my AV.

    exploit #1 can be defeated by proxo filter iframe killer.
     
  4. jedi

    jedi Guest

    Re:IE vulnerabilities alternative defenses

    exploit #1 got me guess it's time to update my browser to see if this helps.

    exploits #2 thru 4 defeated
     
  5. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    LWM,

    I appreciate your putting the Admin. Warning message on the exploit page.

    I remember the 1st time I ran exploit #1, my pulse rate quickened a bit. :eek:

    exploit #1 may potentially be knocking many out of the box which could explain the lack of poll responses, so I'll move it down the exploit ladder and make it #4 instead of #1 and then highlight it as a difficult exploit.
     
  6. Weird

    Weird Guest

    Re:IE vulnerabilities alternative defenses

    Strange none of the exploits are working without using any form of defence such as proxomitron on IE 6
     
  7. jedi

    jedi Guest

    Re:IE vulnerabilities alternative defenses

    I just updated my IE5.5 browser with the latest cumulative patch Q818529 and the malware exploit still gets thru.

    Also the other exploits were prevented not by the browser, but by other means.

    Looks like MS has some work to do in fixing these security holes below 6. I guess they just say move to IE6, which probably has yet to be discovered security flaws. :rolleyes:
     
  8. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Re:IE vulnerabilities alternative defenses

    OK... did 1/2/3 no probs.. nothing happened... BUT... TEST 4.. ouch...

    It tries to download a file, nothing wrong with that you may say.. however, it tries multiple times... I had over 160 "Download File" windows up before I could kill my browser in Task Manager...

    ADVICE DO NOT TAKE TEST 4 LOL...

    Cheers.
     
  9. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Re:IE vulnerabilities alternative defenses

    Yep. I agree :) It suck up all my resources and I had to power off manualy. :oops:
     
  10. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    Hope you both read the admin warning from LowWaterMark and the note from me (peakaboo) about Exploit #4

    Anyway the important thing is this is a relatively safe way to see if you are vulnerable to this type of attack. Now that you know you can do something about it if you choose to do so.

    I stated at the outset:

    Weird guest confirms IE6 patched is not vulnerable to this exploit even without proxo, but this may depend on your OS (win 9x may be vulnerable with or without IE6).

    Ctrl+Alt+Del should kill if you get there fast enough

    Guess the poll should now read:

    I failed 1 or more of the initial exploits = 2

    (possibly more I'm guessing those who fail exploit #4 and have a browser shut down do not come back to answer the poll)
     
  11. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    Last person to vote must be clairvoyant, since he/she already defeated vulnerabilities in addendum 1 thru 3 which have not been posted yet. :)

    Moderators, if possible please move the 1 vote from:

    I defeated initial exploits and addendum 1 thru 3 vulnerabilities

    to:

    I defeated all 4 exploits listed with the initial poll posted on 8/1/2003


    Also if there is a way to lock part of the voting options until I am ready to use, let me know. If I could I would lock options 4 thru 8 till I am ready to use.

    I added addendum 1 today with 6 new exploits to try.
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:IE vulnerabilities alternative defenses

    peakaboo,

    Sorry, but we can't manipulate votes made ;)

    regards.

    paul
     
  13. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    I could not vote again without registering under a different user name, so I decided to post my result:

    poll option #3 (I defeated initial exploits and addendum 1 vulnerabilities ) = 1 vote from me
     
  14. peakaboo1

    peakaboo1 Guest

    Re:IE vulnerabilities alternative defenses

    I ran Opera against all 10 exploits, and it defeated 9 out of the 10 exploits. :cool:

    It had a little problem with exploit #4. I did not get multiple popup windows. But when I was prompted to cancel the download, Opera froze. Had to restart my pc.

    Maybe a setting tweak. Not sure at this point.

    Very Nice Browser though.

    I think I'll keep. :D
     
  15. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    BTW, Opera defeats all ten exploits, the force iframe exploit #4 is defeated by tweaking your preferences (under page style - uncheck or disable inline frames)

    Not really thread hijacking, since the point of the above exploits is alternative defenses against IE exploits. In this case it is in the form of using a different Browser (Opera) which appears to have its defenses in order to defeat these exploits.

    10 out of 10 IE exploits defeated by Opera - not bad.

    My Post above (Peakaboo1) regarding Opera's performance on IE vulnerabilities does fit here.

    These are IE exploits defeated by alternative defense (using a browser not susceptible to these IE exploits).
     
  16. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    4/3/04 update =

    added 8 exploit examples

    See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 30 exploit examples, and Browser security Check before answering the poll.



    Also see important Admin Note from LowWaterMark


    Enjoy! :cool:
     
  17. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    additional info on some of the exploits:

    alpha exploits reference info:

    http://www.securityfocus.com/bid/10690/discussion/

    http://www.securityfocus.com/bid/3469/discussion/

    Poll exploit reference info:

    info about exploits 1, 3, 5, 7 & 8: http://stealthtests.lockdowncorp.com

    info about exploit 2: http://privacy.net

    info about exploit 4: http://www.pcflank.com/scanner1s.htm

    info about exploit 6: https://www.wilderssecurity.com/showthread.php?t=11975;start=msg150423#msg150423

    info about exploit #9: http://www.malware.com <== malware debated commercialization of this resource,
    but as of 2/1/04 they decided to do the right thing and allow free access to this info and the malware exploit
    example.

    note from peakaboo about Exploit #9:

    Exploit #9 if you are vulnerable (IE 5.5 and below & Win9x) & it runs on your pc may cause your pc to not respond as LWM has indicated - really cool exploit flaming screen appears, use Ctrl+Alt+Del to kill the .exe which should appear multiple times

    (if you are not familiar with what I am talking about and your OS is win9x & browser is IE 5.5 or below you may want to skip this exploit and assume you are vulnerable and mark the poll as having failed at least 1 exploit)


    info about Exploit #10: http://www.eicar.org/anti_virus_test_file.htm

    purpose of exploit #10: to see if your AV catches harmless Eicar code in cache before it officially makes it on to your hard drive (Important note: eicar.org cannot be held responsible when these files or your AV scanner in combination with these files cause any damage to your computer.)

    info about Exploit #11: http://www.securityfocus.com/bid/8577/discussion/

    info about Exploit #12: http://www.securityfocus.com/bid/9013/discussion/

    info about Exploit #13: http://www.securityfocus.com/bid/9643/discussion/

    info about Exploit #14: http://www.securityfocus.com/bid/9182/discussion/

    info about Exploit #15: http://www.securityfocus.com/bid/9109/discussion/

    info about Exploit #16: http://www.securityfocus.com/bid/9108/discussion/

    info about Exploit #17: http://www.securityfocus.com/bid/9320/discussion

    info about Exploit #18: http://www.secunia.com/advisories/10395

    info about Exploit #19: http://www.securityfocus.com/bid/9021/discussion

    info about Exploit #20: http://www.securityfocus.com/bid/9329/discussion

    info about Exploit #24: http://www.finjan.com/mcrc/demos/java.cfm

    info about Exploit #25: http://www.finjan.com/mcrc/demos/activex.cfm

    info about Exploit #26: http://www.finjan.com/mcrc/demos/object.cfm

    info about Exploit #30: http://security.greymagic.com/adv/gm012-ie/
     
    Last edited: Jul 15, 2004
  18. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    j4tr:

    I have made a switch to an alternative browser.

    Testing Opera 7.2 against the 12 IE vulnerabilities & the Browser Security test, my vote is result #4 = I defeated initial exploits and addendum 1 & 2 vulnerabilities.

    stubbed my toe on walla, but when I get a chance I'll take a look at that again.

    Firebird and other alternative browsers feel free to vote and or post your responses.

    Firebird users sure are quite on this thread :)

    I'll be taking a look at Firebird once it gets out of beta, but I really like Opera.

    j4tr = just for the record
     
  19. libbo1

    libbo1 Registered Member

    Joined:
    May 28, 2003
    Posts:
    123
    Location:
    florida
    Re:IE vulnerabilities alternative defenses

    OK i'm the Firebird guinnea pig:

    Defeated all! (including extra credits) using Guidescope proxy. :D
     
  20. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    Hi libbo1,

    Thanks for sharing your Firebird results.

    1) If you really want to be a guinea pig try exploit #s 4, 5, 7, 9, 10, 12 and the 2 Super Ads again without Guidescope and post your results. You are under no obligation to do so of course, and this is not a challenge. Do it if you have time and only in the interest of sharing and your own intellectual curiosity.

    2) Also, if Guidescope has a log of the filters which are triggered on the super ads, I would be interested in knowing what was triggered. Your response may help facilitate debugging the proxo kicka$$ Ad pages. :)
     
  21. libbo1

    libbo1 Registered Member

    Joined:
    May 28, 2003
    Posts:
    123
    Location:
    florida
    Re:IE vulnerabilities alternative defenses

    lol u wanna me to run naked down the street! Guidescope is very good at blocking ads and popups like about 100% Will shed my protective armor in the interest of the test and report back. As for a filter log, it's proprietary info Guidescope doesnt share with its users!
     
  22. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    Not exactly :)

    It may be a good exercise for you to see how Firebird does on its own in case someone figures out how to bring Guidescope down.

    I appreciate your willingness to share.
     
  23. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    If you ever want to have some "fun", run all 30 (as of the date of this post) of the Browser Security Tests at the above referenced URL.

    I was running Opera 7.2 almost naked (proxo disabled) :) and got dinged for 1 medium risk Vulnerability out of 30, have no idea why... yet...

    Browser Security Test Results

    Dear Customer,

    The Browser Security Test is finished. Please find the results below:
    High Risk Vulnerabilities   0   
    Medium Risk Vulnerabilities   1   
    Low Risk Vulnerabilities   0

    also not sure what the point of this test was:

    Test moz91043 - begin

    but it sure was long

    LOL

    ********************************
    interesting stats on this test

    from the link:

    Want to know how everyone else is doing on Browser Test? Check our statistics.

    **********************

    have fun... :cool:
     
  24. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:IE vulnerabilities alternative defenses

    hard to draw any inferences from the above Browser Security stats, it would be nice to see a breakout of vulnerabilties by browser type...

    Firebird naked run o_O
     
  25. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Re:IE vulnerabilities alternative defenses

    Mozilla Firebird 0.7+ has currently not been tested by http://bcheck.scanit.be/bcheck/ . But I ran all 30 tests anyways. I do not use any web/content filtering apps.

    Browser Security Test Results

    Dear Customer,

    The Browser Security Test is finished. Please find the results below:
    High Risk Vulnerabilities   0
    Medium Risk Vulnerabilities   0
    Low Risk Vulnerabilities   0

    New bugs keep coming! Sign up for announcements of new tests.

    Questions about the test? Read the FAQ.

    Still having questions? Send us your feedback.

    Want to know how everyone else is doing on Browser Test? Check our statistics.
     
Thread Status:
Not open for further replies.