Vulnerable Browser Day
If you are reading this diary with any web browser other then 'lynx' or 'wget', you are likely vulnerable to one of the issues released today. The first issue
covers all browsers that support tabbed browsing (Firefox, Netscape, Opera,
Konqueror...). The second issue is only of interest to Microsoft Internet Explorer users.
(1) Tabbed Browsing Dialog Spoofing
A malicious website may display a dialog box above a "trusted" site, after the user clicked on a link directing them from the malicious site to the trusted site. The user has to open the new site in a new tab. For a quick test, see:
*** NOTE: THIS PAGE WILL SEND AN EXPLOIT DEMONSTRATION. WHILE
*** WE VERIFIED THE DEMONSTRATION TO BE HARMLESS, USE
*** AT YOUR OWN RISK.
(non available right now. We will update this space as they become available).
(2) Two vulnerabilities in MSIE
The first vulnerability is a modified "drag&drop" exploit. The original problem
was fixed with this months patches. But this version is still working.
The second vulnerability will allow malicious web pages to bypass the security zone restrictions, using crafted .hhk files (Windows Help Index).
We are not aware for any patches for either vulnerability. However, you can
avoid these vulnerabilities by disabling Active Scripting. See:
A proof-of-concept (POC) exploit for MS04-030 has been made available. The exploit, a perl
script, claims to trigger the DOS condition. While we are still working to
verify the exploit, here some signatures to look for:
The exploit will send the following header:
(the 'Host' field will hold the IP address of the attacked host. In this
example, we used '127.0.0.1')
(... repeating 'xmlns:z???="xml:", where '???' keeps incrementing ...)
For Apache servers, the exploit will leave the following log entries:
10.1.0.13 - - [20/Oct/2004:14:57:15 +0000] "PROPFIND / HTTP/1.1" 400 31
[Wed Oct 20 14:57:15 2004] [error] [client 10.1.0.13] request failed:
error reading the headers
(your apache install may use a different log format)
If working "as advertised", the exploit will crash unpatched IIS servers.
MS04-032 Windows XP Metafile Overflow POC
Looks like the kids are finally catching up with all the MSFT vulnerabilities
released this month. A POC (proof-of-concept) exploit was released to exploit
the Windows XP Metafile overflow vulnerability.
The malicious file will start a remote shell or connect back to a URL.
This functionality goes beyond what is typically considered a 'proof-of-concept' as it allows full remote control to the system with all the privileges of the user that opened the image.
The good thing is that some AV vendors already detect it:
From VirusTotal website:
BitDefender 7.0 10.20.2004 Exploit.FPSE.A
Sybari 7.5.1314 10.20.2004 Exploit-MS03-051
Symantec 8.0 10.19.2004 Trojan.Moo
The Manager's Briefing at http://isc.sans.org/presentations/MS04Oct.ppt has been updated to reflect the existence of these exploits.
Pedro Bueno, Johannes Ullrich.
Oct 21st 2004
1 decade ago