Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-10-20 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Browser Vulnerabilities (all browsers), MS04-030 and -032 POC exploit released

Published: 2004-10-20
Last Updated: 2004-10-21 00:28:18 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Vulnerable Browser Day

If you are reading this diary with any web browser other then 'lynx' or 'wget', you are likely vulnerable to one of the issues released today. The first issue
covers all browsers that support tabbed browsing (Firefox, Netscape, Opera,
Konqueror...). The second issue is only of interest to Microsoft Internet Explorer users.

(1) Tabbed Browsing Dialog Spoofing

A malicious website may display a dialog box above a "trusted" site, after the user clicked on a link directing them from the malicious site to the trusted site. The user has to open the new site in a new tab. For a quick test, see:

*** NOTE: THIS PAGE WILL SEND AN EXPLOIT DEMONSTRATION. WHILE

*** WE VERIFIED THE DEMONSTRATION TO BE HARMLESS, USE

*** AT YOUR OWN RISK.

****http://secunia.com/multiple_browsers_dialog_box_spoofing_test/****
Patches:

(non available right now. We will update this space as they become available).
(2) Two vulnerabilities in MSIE

The first vulnerability is a modified "drag&drop" exploit. The original problem
was fixed with this months patches. But this version is still working.

The second vulnerability will allow malicious web pages to bypass the security zone restrictions, using crafted .hhk files (Windows Help Index).

We are not aware for any patches for either vulnerability. However, you can
avoid these vulnerabilities by disabling Active Scripting. See:

http://support.microsoft.com/default.aspx?scid=kb;en-us;q154036

for details.

MS04-030 POC

A proof-of-concept (POC) exploit for MS04-030 has been made available. The exploit, a perl
script, claims to trigger the DOS condition. While we are still working to
verify the exploit, here some signatures to look for:

The exploit will send the following header:

(the 'Host' field will hold the IP address of the attacked host. In this
example, we used '127.0.0.1')

---------------------------


PROPFIND / HTTP/1.1
Content-type: text/xml
Host: 127.0.0.1
Content-length: 188963

<?xml version="1.0"?>
<a:propfind xmlns:a="DAV:" xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:" xmlns

(... repeating 'xmlns:z???="xml:", where '???' keeps incrementing ...)

xmlns:z9995="xml:" xmlns:z9996="xml:" xmlns:z9997="xml:"
xmlns:z9998="xml:" >
<a:prop><a:getcontenttype/></a:prop>
</a:propfind>

--------------------------------
For Apache servers, the exploit will leave the following log entries:

Access Log:

10.1.0.13 - - [20/Oct/2004:14:57:15 +0000] "PROPFIND / HTTP/1.1" 400 31
"-" "-"
Error Log:

[Wed Oct 20 14:57:15 2004] [error] [client 10.1.0.13] request failed:
error reading the headers

(your apache install may use a different log format)
If working "as advertised", the exploit will crash unpatched IIS servers.
MS04-032 Windows XP Metafile Overflow POC

Looks like the kids are finally catching up with all the MSFT vulnerabilities
released this month. A POC (proof-of-concept) exploit was released to exploit
the Windows XP Metafile overflow vulnerability.

The malicious file will start a remote shell or connect back to a URL.

This functionality goes beyond what is typically considered a 'proof-of-concept' as it allows full remote control to the system with all the privileges of the user that opened the image.
The good thing is that some AV vendors already detect it:
From VirusTotal website:


BitDefender 7.0 10.20.2004 Exploit.FPSE.A

Sybari 7.5.1314 10.20.2004 Exploit-MS03-051

Symantec 8.0 10.19.2004 Trojan.Moo


The Manager's Briefing at http://isc.sans.org/presentations/MS04Oct.ppt has been updated to reflect the existence of these exploits.


-------------------------------------------------

Pedro Bueno, Johannes Ullrich.
Keywords:
0 comment(s)
Diary Archives