Will wonders never... this be THE Beast, methinks

Discussion in 'other security issues & news' started by Galcoolest, Nov 13, 2004.

Thread Status:
Not open for further replies.
  1. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    Okay, so I skip town for a couple of days recently, and somehow overlook / miss this vital information, and remain clueless about it because "the vendor" has no patch for it (about which I would have been notified by update settings).

    Nope, there's just a directive to avoid drag and drop in IE, et al. (see below), and I never hear of any of it, or run into the info, until(?)- UNTIL JUST NOW, FRIGGIN A!!!!! HEEELLLLOOOOO? Whose fault is that? DUH. My head is in hands, or buried in sand, or being slipped into a noose.....

    And then a bunch of crazy stuff happens right after I install SP2 around that very time. While too tired to detail each way in which the following article almost perfectly describes what seems to have happened to me, suffice it to say one of the craziest problems I initially had was with drag and drop and right clicking -- the functions just fried and started behaving as they had minds of their own. To the point that the dysfunction with them precipitated one of my many wipes/reinstalls (and never healed notwithstanding......)

    Yep, the whole deal discussed here- losing control of the system, strange files showing up, etc. DANG!!! I'm 98% sure this publication has revealed my heretofore elusive Beast so many of you are totally sick of hearing about - from whence he came and so on and so on.

    So I choose to settle on this solution/explanation of what was terrorizing me. It's too right on to be anything less. Sigh....

    I sure wish one could go beach it for a few and not have to IMMEDIATELY< ABSOLUTELY review EVERYTHING that went down in your absence or risk a total meltdown of your machine.

    To me it's a welcomed conclusion though, because obviously I wasn't diggin, digging, digging ENOUGH for an answer, and the frustration that ensued was my own lack of adequate surveillance of the available information.... Grrrrrrr. Welcomed for its apparently much needed lessons!!! Once bitten.....

    From Secunia, 11-02-04

    Descriptio

    n:
    http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, conduct cross-site scripting and bypass a security feature in Microsoft Windows XP SP2.

    1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.

    This vulnerability is a variant of:
    SA12321

    NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.

    2) A security site / zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents or inject arbitrary script code in context of a previous loaded document using a malicious javascript URI handler.

    Successful exploitation may allow execution of arbitrary HTML and script code in a user's browser session in context of arbitrary sites, or execution of local programs with parameters from the "Local Computer" zone using a HTML Help shortcut.

    NOTE: This will also bypass the "Local Computer" zone lockdown security feature in SP2.

    The two vulnerabilities in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.

    Solution:
    1) The vendor recommends that the "Drag and drop or copy and paste files" option is disabled.
    2) Set security level to high for the "Internet" zone.
     
  2. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Microsoft has announced a vulnerability in Internet Explorer when handling specific DHTML events. Specifically, the problem is said to occur due when Internet Explorer handles Drag and Drop event. By following a link containing such an event, it is possible for an attacker to load an arbitrary file onto a victim's local filesystem.
    Successful exploitation of this condition could ultimately result in the execution of arbitrary code at a later time.

    Check these out:

    Microsoft Internet Explorer 6.0 SP1:
    Microsoft Patch Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB824145)
    http://www.microsoft.com/downloads/...&displaylang=en
    Microsoft Patch Cumulative Security Update for Internet Explorer 6 SP1 64-bit Edition (KB824145)
    http://www.microsoft.com/downloads/...&displaylang=en
    Microsoft Patch Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB824145)
    http://www.microsoft.com/downloads/...&displaylang=en
    Microsoft Patch Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Edition (KB824145)
    http://www.microsoft.com/downloads/...&displaylang=en
    Microsoft Internet Explorer 6.0:
    Microsoft Patch Cumulative Security Update for Internet Explorer 6 (KB824145)
    http://www.microsoft.com/downloads/...&displaylang=en


    LOL! Piece of cake!
     
  3. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Still does not explain how Santa survived the formats...! ROFL
     
  4. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    Santa was obviously part of how I was misconfiguring my system prior to each reinstall- and inadvertently leaving the same damn doors wide open, which on my very limited local LAN with STATIC IPS (the DSL provider only switches you out once a month or so, which I learned early on about them)- in conjunction with my not reinstalling the router for those reinstalls (mistakenly thinking its flaws had caused the INITIAL hacking, a whole differnet matter than what I'm talking about now, which is went down after all of that- because at the time, I wasn't distinguishing between the events- the hacker bull and the subsequent, unrelated compromises) . It appears each time I booted back online I sent an open invitation back to the local machine monitoring mine and signaling a "go for it" repeatedly.

    In other words, yes due to my lack of full understanding about SP2, the config issues, whatever- I did mistake the whole series of events as one continum of intrusion. But having read that bit today, and thought about the whole sequence of events, I do think I got rid of the hacker just fine, but then kept re-inviting another local LAN badguy/script kiddie right back on my machine a few times as I was sitting there with a static IP, no router, running around in an admin role at the time, neglecting to trace the source IP or events logs properly or to use proper monitoring software, not to mention failing to fully google the activities to learn about what I learned today, freaking out, panicking------ all of these elements were Santa, ok?

    Are you done with me now LH? I'd like to move on please....
     
  5. jxkruzzn

    jxkruzzn Guest

    :D yes, the lady did ask politely, not like me!

    Good for you GalCoolest, think you may helped me figure out something we had at the house. Be glad it's over!
     
Thread Status:
Not open for further replies.