Browser exploit tests & alternative defenses

Re: Browser exploit tests & alternative defenses

Peakaboo, a major update today: http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

ChangeLog: http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=90&#

 

Re: Browser exploit tests & alternative defenses

Thanks Kye.

Not sure what to make of this "news" due to the lack of cross confirmation, but I am familiar with the source poster Paul so I'm taking this as fact.

http://www.computercops.biz/article-5228-nested-0-0.html

Sad.

I knew of Scott only via his freeware Proxomitron and a couple of direct posts. He was a good guy. His product was exceptional. He touched many.

RIP SRL (your greatness lives on through Proxomitron and the many lives you have touched and made better)

 

Re: Browser exploit tests & alternative defenses

Is this thread discussed in great detail anywhere on Wilders?

As in Cause, Effect and most importantly SOLUTION of every exploit (1 to 4, and 1 to 30).

Cheers

 

Re: Browser exploit tests & alternative defenses

Peakaboo, updated once again.

Last Updated: July 17, 2004 - 3:40 PM EST

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

-Added descriptions to all of my filters

-Modified (Hide ClipBoard Contents [Kye-U])
--Made it also match another function

-Renamed (IE: Restricted Cookie Exploit [Kye-U])
--Changed to (Restricted Cookie Bypass Exploit [Kye-U]) as it applies to multiple browsers

 

Re: Browser exploit tests & alternative defenses

Kye, thanks for the update. I d'ld about 35 min ago. Nice touch adding descriptions.

Is this filter set compatible with multiple versions of proxo.

I'm getting a significant slow down after merge (hope I did it right - merged only web & header filters with my own custom blend and saved as separate filter). I am working my way through the filters keeping those which are not duplicates of filters I already have function wise & those relevant to my specific Browser or OS type to find the culprit for the drag.

 

Re: Browser exploit tests & alternative defenses

I'm trying to find the filter(s) that are causing the slow down.

Maybe it's the sheer amount of filters...

Maybe I should merge certain filters together?

 

Re: Browser exploit tests & alternative defenses

Blackspear,

To answer your question in a global sense, part of the essence and raison
d?être of Wilders Security is also the solution for many of the exploits.

Try a search on threads or posts for either:

alternative browsers or layered defense

and you will pull up volumes.

some helpful links:

https://www.wilderssecurity.com/showthread.php?t=41013

https://www.wilderssecurity.com/showthread.php?t=5367&page=1&pp=25

https://www.wilderssecurity.com/showthread.php?t=41603

https://www.wilderssecurity.com/showthread.php?t=41074

LWM and many others say your best defense is between your ears.

To answer your question specifically, are there threads here which address this thread, I would say the answer is no because the thread addresses the real issue see:

posts in this thread 3, 15, 17, 32&33, 38 46 and Kye's work re: security filter pack for proxomitron.

 

Re: Browser exploit tests & alternative defenses

Thanks for your reply Peakaboo.

The basic answer seems to be to use an alternative browser such as Opera.

What about Firefox or Mozilla?

As well as use Proxomitron - I have downloaded and installed this.

and Kye U's filters - I am having trouble installing these filters, as in no idea how to

Cheers

 

Re: Browser exploit tests & alternative defenses

Blackspear,

You probably have a good handle on this, but for those who may run across this discussion:

1) alternate browser & email client is part of the answer

2) surfing & email habits is part of the answer (between the ears common sense)

3) email previewer like mail washer or frontgate

4) Mozilla is good (watch firefox beta very promising speedster) it should be coming out of beta soon, until it does, let others be the guineas

5) Proxomitron has a learning curve and until you get the hang of it, you may want to stick with default configs which come with Proxo or try sidki, alto sax, or jd5000 configs. When you get the hang of it custom fit your own config for speed.

implement Kye's work as he refines his great WIP

6) re: layared defense call up that post I referenced, pay particular attention to

+ firewall
+ Browser
+ AV
+ Process Guard (free & use unlimited MD5 for Ap controll)
+ Application sandbox - like AB or SSM or even the MD5 of Process Guard
+ Spyware killer - SS&D
+ Proxo - ad, js, js script, Iframe, referrer, cookie out, etc., killer and all around great http html filter.

 

Re: Browser exploit tests & alternative defenses

Blackspear, go here to learn how to merge filters:

http://www.kye-u.com/proxo/forums/index.php?showtopic=2

And another good site to read up on Proxomitron, and perhaps to climb the learning curve is http://www.sankey.ws/proxomitron.html

 

Re: Browser exploit tests & alternative defenses

Many, many thanks Peakaboo, GREAT reply, that is what I was looking for.

I already do most (now all) of #6.

I started to do some of the exploits to find I was very deep in a quagmire and with each step finding myself bogged even further. I was wondering if there were multiple programs required to fix these or there was something simpler, and indeed there is.

When I first tried, I had 50+ web pages opening, even with grouping I wasn't able to stop this, a hard power off was the only option, Control+Alt+Delete did not work. I then installed Proxomitron and tried again, this time only a second webpage opened with rapid-fire clicks going on, 2 r/clicks later and I was able to close the group.

My second try found a full screen of blue, holding the escape key down I was able to see the task bar and r/click and close the group... At this point I realised I was out of my depth, and hence the question...

Again, many thanks for your reply. I'm going to try Firefox, and both ask and play around with Proxomitron.

Cheers

 

Re: Browser exploit tests & alternative defenses

Many thanks Kye-U, I shal go and have a look

Cheers

 

Re: Browser exploit tests & alternative defenses

No problem Blackspear. I found Proxomitron confusing when I first installed it, and I had to get JD5000's filter set and analyze it, and found that it was pretty easy. The most important thing that I found was to get the Bytes Limit big enough to match real-life situations, or the amount of coding you're trying to match.

The other thing was the URL. Most of the time, you should put, "(www.|)yahoo.com/"

The (www.|) part means that it'll look if there's www., OR (the "|") nothing (the nothing before the closing bracket).

You'll get the hang of it in about 2 weeks if you read up a lot and learn the functions of the symbols... \0-\9, \w, \k, $ALERT(), etc. The Headers section is a bit more complicated, and that's where I'm a newbie at.

BTW:

Pack Last Updated: July 18, 2004 - 12:33 AM EST

http://www.kye-u.com/proxo/forums/index.ph...topic=131&st=0#

-Removed (IE: Meta Tag Exploit [Kye-U])
--Overlapped (IE: window.createPopup [Kye-U])

-Modified (Opera: URI Handling Exploit [Kye-U])
--Added (%2F) to match

-Modified (Opera: Malformed Server Name Exploit [Kye-U])
--Changed (%) to [%] on Advice

 

Re: Browser exploit tests & alternative defenses

Last Updated: July 18, 2004 - 1:00 AM EST

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

-Modified (IE: Local Zone Access Exploit [Kye-U])
--Fixed False Positive

 

Re: Browser exploit tests & alternative defenses

Version 4.07 is out!

Last Updated: July 18, 2004 - 1:13 PM EST

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

 

Re: Browser exploit tests & alternative defenses

Hi Kye,

I dld 4.07. Good job!

If I can offer you some feed back:

1) I like the info you provide on the filters such as the url to view more info.

My suggestion here is if you have the following info include it:

add "latest version vulnerable"

example for filter: Opera: Permanent Denial Of Service Exploit [Kye-U] the info you have is:

A known exploit in older versions of Opera. An excessively long "news:" URL could crash Opera.

http://www.securityfocus.com/bid/7430/info/)

What would help me is if I saw right up front something like

latest version vulnerable 7.11 An excessively long "news:" URL could crash Opera.

http://www.securityfocus.com/bid/7430/info/)

Luckily with the security focus site, the latest version vulnerable info is available I think under the info tab

2) I'm not sure if I got a false positive on the following filter when I entered this thread, but the filter sure matched:

Match 689: Opera: URI Handling Exploit [Kye-U]

3) Seems like the following filter may have been causing my slow down. When I unchecked it my slow down virtually disappeared. I'll continue to test to verify:

Opera: Malformed Server Name Exploit [Kye-U]

_______________________________


Good job on the following:

I went to Opera: Address Bar Spoofing Exploit [Kye-U] filter

and surfed to the link referenced and tried the exploit which is supposed to work on Opera 7.52 and possibly older versions, and your filter worked perfectly.

Match 783: Opera: Address Bar Spoofing Exploit [Kye-U]

good job Kye!

I need to go back and see if I get owned without your filter

If you would prefer this feedback either on your site or via email just PM me.

 

Re: Browser exploit tests & alternative defenses

Thanks for your input! Version 4.08 is out. But unluckily, I didn't look at your post when I released it.

1) I will for sure look into including the versions that are vulnerable in each description in version 4.09.

2) Your first post includes the Opera exploit:

opera:/help/..%5c..%5c..%5cwinnt/notepad.exe

That's why

3) I will look into that filter and try to fix it somehow.

Thank you!

 

Re: Browser exploit tests & alternative defenses

Version 4.09 is now out.

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

-Added Version(s) Vulnerable in Descriptions

-Modified most of the filters' URL Match $TYPE() information to possibly decrease CPU load

-Modified (Opera: Malformed Server Name Exploit [Kye-U])
--Made the match a little more detailed

-Renamed (Mozilla: 0-Width GIF Exploit [Kye-U]) to (0-Width GIF Exploit [Kye-U])
--Applied to multiple browsers

-Renamed (Mozilla: Javascript Exploit [Kye-U]) to (Javascript Location Exploit [Kye-U])
--Applied to multiple browsers

 

Re: Browser exploit tests & alternative defenses

Very Nice job Kye,

I like the addition of the readme text file providing instructions which even a newbee should be able to follow on merge, the reason for your filter set, what's new, getting help etc

I'm glad you were able to add my suggestion of adding the latest version vulnerable info. It helps those sifting through the filters to determine which filters they need and which they can do without.

Preliminary testing indicates much improved speed. I'll take a look later since right now I have a number of Aps running.

Very impressive and professional.

Congrats.

Ignore the whiners who add nothing to the process. As you know SRL (may he RIP) and many others ran/run into these types quite often.

Nothing wrong with constructive suggestions offered in the spirit of building and improving. Keep up the great work!

 

Re: Browser exploit tests & alternative defenses

Version 4.10

Last Updated: July 19, 2004 - 11:18 PM EST

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

-Disabled uncommon/old exploits, in order to lower CPU usage

-Modified (IE: Local Zone Access Exploit [Kye-U])
--Fixed (), [] issue
--Fixed False Positive

-Removed (Javascript Location Exploit [Kye-U])
--Overlapped with (View-Source Exploit [Kye-U])

 

Re: Browser exploit tests & alternative defenses

But where are the latest exploits on this testpage? I use IE 5.01 and I would like to know if all the exploits on Secunia are covered on this page.(http://secunia.com/product/9/)

I passed all but 2 tests with Maxthon (an IE shell) with Active Scripting enabled and ActiveX disabled. Only exploit 9 (computer ran out of resources) and exploit 27 (notepad popup) gave me troubles. And exploit 2 (privacy test) showed quite a lot information about my system, but this can be prevented with referrer blocking I think.

So I would like to see a demo of download.ject and the other latest high risk threats. And btw, with the Browser Security Test I only get 1 low risk vulnerability, so it seems like I'm pretty save, but I'm not sure of course. Any feedback will be appreciated. Oh and I'm also not running a realtime viruscanner or sandbox, just a firewall (ZA Pro).

 

Re: Browser exploit tests & alternative defenses

Peakaboo, version 4.12 is now out. It significantly reduces the CPU load.

Version 4.12

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

Last Updated: July 20, 2004 - 6:35 PM EST

-Dramatically fixed CPU issue

-Added (URL-Killer: Disable Script URL Exploits [Scott L.] (Out))

-Added (IE: Javascript location.assign Exploit [Kye-U])
http://www.securityfocus.com/bid/10689/info/

-Removed (Cross-Domain Policy Exploit [Kye-U])

-Removed (window.MoveBy [Kye-U])

-Removed (IE: Cross Site Exploit [Kye-U])

-Removed (IE: Javascript Invalid "For" Exploit [Kye-U])

-Removed (IE: Non-FQDN URI Exploit [Kye-U])

-Removed (IE: window.createPopup [Kye-U])

 

Re: Browser exploit tests & alternative defenses

Kye,

Thanks for the update. Glad you got that CPU issue resolved.

If you are looking to delete more filters, maybe consider only including filters above your "designated base" filter set. You might select your favorite secure filter set say from sidki or whomever.

Simply add filters to your set which add incremental value or a better way (faster more efficient etc).

Example if you have multiple exploits which have as their method of delivery iframe and your "designated base" filter set has an iframe killer filter then maybe there is no need to have another filter which deals with iframe. Same for Js type delivery exploits etc

I'm sure you are doing something like this anyway. Just a thought.

Keep up the good work.

 

Re: Browser exploit tests & alternative defenses

Rasheed,

The 30 exploits + browser exploit test designated for the poll are static at this point. New exploits will be added as they come along as Alpha exploits A-Z.

If you have a link to an exploit you want to see PM or post a link and I'll add as an Alpha exploit, the next time I do an update to post #1.

The reason I have a base set of tests is for consistency, and to provide a base level of issue exploits which if you get by the base exploits you can have a modicum of confidence that you are on the right track security wise. Admittedly the base will become old but hopefully it will still be relevant going forward as a base measure.

If you need some help getting over 2, 9, & 27 holla

Also I presume you had no problem with the Alpha exploits since you did not mention.

 

Re: Browser exploit tests & alternative defenses

Hi Peakaboo,

I also didn't have any problem with the alpha exploits. I have to say that I also didn't use proxy software like Proxo but I did have my (quite powerful) popupblocker enabled.

But I would like to see demo's of all the exploits on Secunia's page. I also read yesterday on a page that IE 5.01 isn't vulnerable to download.ject, doesn anyone know if this is true? And about 2, 9 and 27, PM me about it please, I don't consider them to be high risk, but any info is always welcome.