NEw security hole in IE6

Discussion in 'other security issues & news' started by JacK, May 17, 2003.

Thread Status:
Not open for further replies.
  1. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    I was just informed about this exploit with high potential, called "zones flooding" which works perfectly reliable and
    doesn't need any scripting or Active-X. Check out these bugtraq postings:

    http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00157.html
    http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00178.html

    The second one has a URL to a fully working exploit page for XP. It will eventually (depends on the speed of your PC) grab your video ram with a well-known NT VGA exploit. [If it's based on the old proof-of-concept by Robert Schlabbach (RASPPPoE) it should give control back after a minute or so (right)]
    This clearly shows the potential to inject any code of your choice and run it within the user's permissions.
    The given workarounds are to strip execution permissions for that folder (which isn't easily done because it doesn't have a Security tab), that works in stopping the code execution but also prohibits any further file downloads or viewing the Temporary Internet Files folder, but simple browsing still works. The other workaround is to enforce a Software Policy Restriction for that folder, which seems to be the better choice, but I have only a vague idea how to achieve this.

    Cheers,
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Nice catch, Jack.

    Posted it to DSL Security forum.

    Tried it here and it did an outstanding job of throwing up multiple d/l request windows and then shutting down the browser.

    We probably all need simple instructions on how to "change NTFS permission not to
    allow run executable code _or_ create path rule in Software Restriction
    Policy that prohibits programs from run from temporary internet files." ! Pete
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
  4. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Nite spy 1

    Excellent even if not perfect.

    BTW I posted on the same thread a tip to install the security tab on WinXP Home.

    tnx,
     
  5. Douglas

    Douglas Guest

    This exploit worked perfectly on my Windows98SE.
    Many, many browser windows, and then the .exe (if the .exe was an animated picture of flames). After that, my whole computer froze.
    "Check for signatures on downloaded programs" is checked in my Internet Options, so that fix (from DSLR), doesn't seem to work on Win98.

    Regards,
    Douglas
     
  6. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Anyone know if the exploit mentioned by Jack above is the same as the one discussed here:

    http://www.securityfocus.com/archive/1/321662/2003-05-13/2003-05-19/0

    if it is the same exploit, there appears to be some solutions discussed here (includes 2 proxo solutions also):

    http://asp.flaaten.dk/proxo/topic.asp?TOPIC_ID=1012

    exploit sounds similar (flooding ie 6) but the test references are different. If same exploit will the solutions mentioned at asp.flaaten work against the tests at:

    http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00157.html

    http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00178.html


    :eek:
     
  7. Douglas

    Douglas Guest

    Hi peakaboo,

    Yes, it's the same.
    Good catch, and thanks.

    Regards,
    Douglas
     
  8. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Hi Douglas,

    Thanks for confirming it's the same exploit.

    For those trying the proxo solution, unless you are using proxo 4.5 beta suggest you go with Hpguru's Iframe killer.

    Hp's solution worked for me, defeated the malware test without a problem.

    I tried JD's

    "Block: Forced iFrame Content {4.ie.ex} - Prox 4.5"

    but since I'm not using the 4.5 beta it did not work - I like JD's solution and will keep it in the arsenal when the new proxo 4.5 is released to the public.

    I'll look into the other suggestions if I get a chance just for grins. :D

    update: re proxo solutions - JD's solution to kill the page after 5 iframes IMO seems like a better solution (definitely will check out JD's filter after 4.5 proxo comes out).

    Using HP's filter it has to kill 1999 iframes before defeating the malware test (goes pretty quick, but imagine if the exploit had 10,000 iframes or more).


    not a pretty thought :eek:
     
  9. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Just dld the new release Proxo 4.5 (thanks for the update notice CrazyM also big Thnks to SRL for proxo)

    Tried JD's filter against the malware.com exploit and it worked beatifully.

    when I ran the exploit, proxo gives a warning of the exploit, 5 dl windows later (cancel these) and the page is killed and so is the exploit!

    nice job JD

    here is the filter again (remember only works with the new proxo 4.5 ):


    [Patterns]
    Name = "Block: Forced iFrame Content {4.ie.ex} - Prox 4.5"
    Active = FALSE
    URL = "$TYPE(htm)"
    Bounds = "<iframe*>(*</iframe>|)"
    Limit = 1000
    Match = "<iframe*src=$AV(*)*$SET(iframe=$GET(iframe)1)&$TST(iframe=111111)"
    Replace = "\k$ALERT(Possible Iframe Exploit Blocked!)$SET(iframe=)"

    note if you run proxo 4.4 or lower use HpGuru's filter referenced in a previous post.
     
Loading...
Thread Status:
Not open for further replies.