RE: Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list)

["Deus, Attonbitus" <Thor () HammerofGod com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:18 AM 4/25/2002, Menashe Eliezer wrote:
> The vulnerabilities' list is accessible even by unprivileged user account.

Only on a FAT drive- by default, only system, admin and the user have 
permissions to access the file.

> The ability of active content to access this report depends on
> security setting of the browser.
> For example, signed ActiveX that runs in browser with low security
> setting, doesn't need user's approval. User can also choose not be asked
> whether to launch ActiveX that is signed by a specific signer. In such case,
> The ActiveX doesn't have to be safe for scripting. The ActiveX can do
> anything
> without being scripted at all.there's no need for low security setting of 
> the browser.

Please just stop it. This has *nothing* to do with MBSA.  If people have a 
low browser security setting and go around downloading signed (or unsigned 
for that matter) ActiveX controls then that it their problem, not 
MBSA's.  Even the examples on your web site require much interaction of the 
user and the explicit loading and executing of the controls.  This is bogus.

There IS a need for low security for the rouge ActiveX control to be 
downloaded in the first place.  The reason the "safe for scripting" issue 
was raised by 3APA3A is that he knows some may have the "Script ActiveX 
controls marked safe for scripting" turned on...  In that case, only these 
types of controls could be used to access the information, and they would 
already have to be installed and marked "safe for scripting."


> You can access this report even without active content.
> All you need is a limited exploit that just allows you to read a file.
>
> Deus Attonbitus wrote:
> DA>but the script would also have to be able to discern the currently logged
> DA>on user in order to see where to look in the "Documents and Settings"
> tree.
> 1. Discern the currently logged on user - It's a simple Win32 API.
> 2. Code can simply look for "Security Scans" folder in tree.

You contradict yourself... Without the ActiveX control, your "limited 
exploit" to read the file would not be able to run the API call to find out 
the username.  You might be able to use something old to known filename in 
a known location, but where is the "limited exploit" that allows directory 
recursion?  Besides, you don't even know the name of the XML file- unless 
you also guess the domain, the computer name scanned, and the exact date 
and time (to the second) that the scan was made.

Let's break it down... Here is what would have to happen:

1) Admin downloads and runs MBSA.
2) MBSA tells Admin that he is running on FAT, that the IE Internet zone 
security is low, that the Outlook security zone is low, and that he has 
missing patches for known issues.
3) Admin ignores all messages, does nothing to secure his system, and goes 
about his day whistling "Jimmy crack corn and I don't care."
4) You magically discern who this admin is, and get him to visit your web 
site using Jedi Mind Trick.
5) You got Microsoft sign an ActiveX control that allows you to take full 
control over user's box.
6) User downloads control.
7) You use this control to read the MBSA XML file, when you already had 
full control over the box.
8) You find out what patches are missing and then fire off another exploit 
against user to further compromise system even though the game was already 
over.

Is that about right?

AD


























-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPMlqMohsmyD15h5gEQJb5ACfUz7VeL1t8tu7Um8nhP/FuotTOS0Anjne
/OldNhkX9ygRivtWcwB18K9Z
=OzQZ
-----END PGP SIGNATURE-----