Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PDF XSS vulnerability announced at CCC

Published: 2007-01-03
Last Updated: 2007-01-03 19:25:09 UTC
by Toby Kohlenberg (Version: 2)
0 comment(s)
A new cross-site scripting attack was announced at the 23rd CCC by Stefano Di Paola & Giorgio Fedon:
http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html
The gist of the attack is that you are able to get javascript executed by simple having it appended to the PDF's URL.

This is an example (from GNU Citizen): (line breaks added for aesthetic value)

www.google.com/librariancenter/downloads/Tips_Tricks_8511.pdf#something \
=javascript:function createXMLHttpRequest(){   try{ return new \
ActiveXObject('Msxml2.XMLHTTP');  }catch(e){}   try{ return new \
ActiveXObject('Microsoft.XMLHTTP'); }catch(e){}   try{ return new \
XMLHttpRequest(); }catch(e){}   return null;}var xhr = createXMLHttpRequest(); \
xhr.onreadystatechange = function(){    if (xhr.readyState == 4)       \
alert(xhr.responseText);};xhr.open('GET', 'http://www.google.com', true)\
;xhr.send(null);

This doesn't require the ability to write the PDF, just the ability to generate a URL that is based on a
PDF hosted on some site.
There are a number of good explanations on this. I liked this one:
http://www.disenchant.ch/blog/hacking-with-browser-plugins/34

The original paper talks about more than this specific flaw and is certainly worth reading as well.

Mitigation: Turning off javascript seems effective at mitigating this. Militant use of the NoScript extension for
Firefox would be my recommendation. Of course you have to turn off javascript for _everything_ (specifically the target domains, not the website setting up the attack. in the Disenchant examples you would have to disable scripting for Google, MySpace, Microsoft, Ebay and BofA) but....

Update: Thanks to those of you who pointed out that this appears to fail/is fixed in Adobe Acrobat/Reader 8:
http://www.adobe.com/products/acrobat/readstep2.html
Keywords:
0 comment(s)

Symantec attack uptick reported

Published: 2007-01-03
Last Updated: 2007-01-03 08:51:56 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)
Thanks to Mike who sent us the following note about what he's seen on his network. Anyone else seeing similar movement?

The Symantec AV attacks have picked up over the last day or so, as systems that were probably turned off over the holidays are turned on and infected by the worm.  Almost all of the attacks we saw just before Christmas were from other .edus; now we are seeing more attacks from systems in countries other than the US.  About 70% of the 186 systems that tried attacking us today were outside the US.  Brazil and Taiwan take top honors for most attacking hosts.
Keywords:
0 comment(s)

Apple QuickTime RTSP URL Handler Vulnerability

Published: 2007-01-03
Last Updated: 2007-01-03 08:33:07 UTC
by Scott Fendley (Version: 4)
0 comment(s)
 The Month of the Apple bugs seems to have started. The first bug is in the handling of RTSP URL's within Quicktime, leading to arbitrary code execution on both Windows and Mac OS. You can find the advisory here:
http://projects.info-pull.com/moab/MOAB-01-01-2007.html.  The MOAB blog states that you should disable the rtsp:// URL handler, however I have not determined how this is done.

Update 1:

Robert helped me find something I was missing.  Guess I am just blind today or was just paying a little too much attention to the bowl games. 

To disable RTSP URLs in QuickTime for Windows, open the QuickTime control panel.  Then, select the File Types tab.  Expand the Streaming category and make sure the RTSP stream descriptor is unchecked.  Here is a screen capture of this from my Windows based computer.   I recommend that you make sure that this is unchecked. 



Update 2: To disable RTSP URLs in QuickTime for OSX,  go to System Preferences -> QuickTime -> Advanced -> MIME Settings -> Streaming - Streaming Movies -> Uncheck RTSP stream descriptor.  Thanks Swa, David and Carl for helping me find where it is located on this architecture.  Here is the OSX screen capture.



Update 3: Our thanks to Rosyna from Unsanity.org who pointed out that the above fix for OSX may not be sufficient due to the round-about fashion in which QTL files are handled by OSX (it doesn't use the RTSP handler, hence disabling it isn't a complete fix). She points to this application package as a fix: http://landonf.bikemonkey.org/code/macosx/MOAB_Day_1.20070102060815.15950.zadder.local.html . NOTE: this fix requires a third party application to be loaded which may introduce its own set of issues and vulnerabilities!
-tk
Keywords:
0 comment(s)

VLC Media Player udp URL handler Format String Vulnerability

Published: 2007-01-03
Last Updated: 2007-01-03 00:39:56 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)
Welcome Fans to Day Two of the Month of Apple Bugs!
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
Today's contestants are: the MOAB team and VLC Media Player.
We have a special treat for you today as the vulnerability announced on this lovely Winter morning (okay, it hasn't stopped raining yet today and it was almost dark at 2:30pm and technically it's evening but...) impacts the VLC Media Player on both OSX and Windows.

MOAB team, the reigning champion after their highly noted win against Apple Quicktime yesterday by stack overflow had this to say about their opponent-
"A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC."

After a short bout MOAB was declared winner again by delivery of PoC for both x86 and PPC.
This contender has certainly come out strong but we'll see how they hold up as the month continues. That's all till next time sports fans.
0 comment(s)
Diary Archives