RE: EEYE: Internet Explorer Object Data Remote Execution Vulnerability

["Drew Copley" <dcopley () eeye com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Addendum: It has come to our attention that the file extension does not matter. 

So, the only way people should be blocking is this is by blocking by this tag:

Content-Type: application/hta

Cheers.


> -----Original Message-----
> From: Drew Copley [mailto:dcopley () eeye com] 
> Sent: Wednesday, August 27, 2003 10:03 AM
> To: 'Fabio Pietrosanti (naif)'; 'BUGTRAQ'
> Subject: RE: EEYE: Internet Explorer Object Data Remote 
> Execution Vulnerability
>
>
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If you wish, you can deny any traffic using:
>
> Content-Type: application/hta
>
> The fact is even IIS does not have that content type built 
> in, and it does not need it. Further, the need for anyone to 
> legitimately download a HTML Application would be extremely 
> rare. (This is not saying HTML Applications are useless.)
>
> Object tags can have unsafe extensions in the data, for 
> instance, base-64 encoded data is rather popular. (For 
> whatever reason Frontpage automatically puts base-64 encoded 
> data in some activex.)
>
>
>
> > -----Original Message-----
> > From: Fabio Pietrosanti (naif) [mailto:fabio () pietrosanti it]
> > Sent: Monday, August 25, 2003 2:45 AM
> > To: BUGTRAQ
> > Subject: Re: EEYE: Internet Explorer Object Data Remote 
> > Execution Vulnerability
> >
> >
> > On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:
> > >   In case anyone needs a SNORT rule to catch attempts to
> > exploit this
> > > vulnerability:
> > >
> > > #-----
> > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"Internet 
> > > Explorer Object Data Remote Execution Vulnerability"; \
> > >         content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
> > >         nocase; flow:from_server, established; \
> > >         reference:cve,CAN-2003-0532; \
> > >         classtype:web-application-activity; rev:1;)
> > > #-----
> >
> > This rules catch the response with the exploit's payload from
> > the server that may change depending on the exploits so 
> > matching the CLSID of WSH does not detect the "vulnerability" 
> > beeing exploited but this specific exploits.
> >
> > Altought there are many way of exploiting this vuln without
> > using the Window Scripting Host, it's possible to use it in 
> > many way like:
> >
> > - VBScript
> >
> >    CreateObject("WScript.Shell")
> >
> > - JavaScript
> >
> >   new ActiveXObject("WScript.shell");
> >
> > or like in the demostration with the <object> tag .
> >
> > The only way to detect it is to look at the data sent by the
> > client beeing exploited ( which can probably bypassed with 
> > fancy mhtml base64 encoded e-mail or with an e-mail with a 
> > link to a site available in https )
> >
> > For an effective signature we need a regexp that will catch
> > everything that start with <object, reach the field data= and 
> > look at the end of the string inside 
> > "" matching everything that's NOT an unsafe extension ( .exe, 
> > .pif, .cab, etc, etc ) .
> >
> > In perl should be something like:
> >
> > /date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/
> >    ( tnx Md )
> >
> > Regards
> >
> > --
> >
> > Fabio Pietrosanti ( naif )
> > E-mail: fabio () pietrosanti it - naif () s0ftpj org -
> > naif () sikurezza org PGP Key available on my homepage: 
> http://fabio.pietrosanti.it/
> - --
> Security is a state of being, not a state of budget. rfp 
> - --
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBP0zkYAkWkugjEnC3EQLRzQCfUA4X7X4q/kxhTTNpblyo17RHOwMAoMNy
> t87vTJIMNFpKj6/ESNba3hd0
> =RMqw
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP0zqjgkWkugjEnC3EQKOogCeNqFJC5wPvS9n3MNZRZIJY1OSLhwAnjMr
dPDmnRNq/T/WdXkcj+Bh3QY8
=YB1/
-----END PGP SIGNATURE-----