Re: New DDoS?

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Wed, 10 Jan 2001, Darren Reed wrote:

> What about placement (or addition) of an ActiveX control (which downloads
> into IE on the quiet) that's not quite so benign ?

The important criteria IMHO is stealth, if the exploit has any hope of
staying hidden long enough to nail enough clients.  I believe lots of
people have IE configured to warn about even signed ActiveX controls.  It
comes default that way for the majority of controls.  Some folks will shut
off the warnings, because they are given the option every time they have
to answer the question.

There are a number of trusted ActiveX controls that Microsoft has put out,
which load silently.  Georgi has been able to leverage at least one
for exploit purposes:

http://www.securityfocus.com/bid/1754

This particular problem has been patched of course, but it illustrates the
concept.

So, ActiveX holes could be exploited, along with any browser hole.

To be extra clean, most web servers provide an easy way to serve up
different pages, depending on the user agent info the browser supplies
(i.e. the info that the browser sends that identifies the type and
version).  Using that, the defaced web site could be configured to serve
up the appropriate exploit for Netscape or IE, or no exploit at all if the
client appears to be a non-vulnerable version.  To hide even further, it
could only exploit 1 in 100 clients, making it even harder to identify.
(No, that site couldn't have hacked you... I just combed through the code
by hand, and it's clean...)  Obviously, it's a little less effective at
that point.  I have no idea what the ideal exploit/hide ratio would be.

Even .jpgs aren't safe, as there is an exploit for Netscape that is
delivered via .jpg files:

http://www.securityfocus.com/bid/1503

In short, if you've got a malicious web server, or a web server that has
been compromised in a non-obvious way, the problem is much more serious
than a DoS or DDoS.

                                                Ryan