Full Disclosure mailing list archives
RE: SUPER SPOOF DELUXE Re: Microsoft and Security
From: "http-equiv () excite com" <1 () malware com>
Date: Thu, 1 Jul 2004 20:25:01 -0000
Yes of course. Two tiny problems though: 1. your little scriplet doesn't work for me. I get: 'W.frames.2.location' is null or not an object 2. If as you claim this is "standard practice" then there is something wrong with these browsers as it apparently does not work on them: The following browsers are not affected: * Mozilla Firefox 0.9 for Windows * Mozilla Firefox 0.9.1 for Windows * Mozilla 1.7 for Windows * Mozilla 1.7 for Linux http://secunia.com/advisories/11978/ Perhaps someone who really knows will enlighten us all. Thor Larholm <thor () pivx com> said:
From: http-equiv () excite com [mailto:1 () malware com]Your subject makes it sound like this is a spoofing
vulnerability when
in fact this is expected functionality that has been around
since
Netscape 2 and IE3 which does not grant additional privileges
of any
kind and requires the user to activate WindowsUpdate from your
site.
Here's a quick and dirty demo injecting malware.com into windowsupdate.microsoft.com :) http://www.malware.com/targutted.htmlYour script opens a new window and then uses a timer to change
the
location of whatever window object has focus. This does not
switch
security zone or even protocol, all it does is to load your
site into a
subframe of another site. You can accomplish the exact same
without
trying to 'trick' anything by using the following 2 lines: W=window.open("http://v4.windowsupdate.microsoft.com"); W.frames[2].location.href = "http://pivx.com/"; This is no different than loading WindowsUpdate in a frame on
your own
site. It has always been standard practice that you can change, but
not read,
the location of any window object to a site from the same
protocol and
security zone. A frame is a window object and all window
objects are
safely exposed because they by themselves does not reveal any information about the site inside the frame. You can get a
handle of any
window object to any depth because the frames collection is
also safely
exposed. This does not give you any kind of access to the
document
object inside, which would be necessary for any kind of code
injection
or cookie theft. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: http-equiv () excite com [mailto:1 () malware com] Sent: Tuesday, June 29, 2004 11:41 AM To: bugtraq () securityfocus com Cc: NTBugtraq () listserv ntbugtraq com Subject: SUPER SPOOF DELUXE Re: [Full-disclosure] Microsoft
and Security
Thomas Kessler was kind enough to inform that this is not new,
but in
fact on old "issue" with Internet Explorer which by all
accounts was
supposed to be "patched" back in 1998[?]: Microsoft Security Program: Microsoft Security Bulletin (MS98- 020) Patch Available for 'Frame Spoof' Vulnerability http://www.microsoft.com/technet/security/bulletin/ms98-
020.mspx
Quite clearly this contraption known as Internet Explorer is
just
broken. It's oozing pus from every pore at this stage. If indeed the issues are the exact same. You'd better wipe hands of it anyway. We give up. -- http://www.malware.com
-- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- Re: SUPER SPOOF DELUXE Re: Microsoft and Security Daniel Veditz (Jul 02)
- <Possible follow-ups>
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security Thor Larholm (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security Pavel Kankovsky (Jul 01)
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Thor Larholm (Jul 01)
- RE: SUPER SPOOF DELUXE Re: Microsoft and Security Thor Larholm (Jul 01)
- Re: SUPER SPOOF DELUXE Re: Microsoft and Security Bob Perriero (Jul 02)
- RE: RE: SUPER SPOOF DELUXE Re: Microsoft and Security http-equiv () excite com (Jul 01)
- Re: RE: SUPER SPOOF DELUXE Re: Microsoft and Security Gregory A. Gilliss (Jul 01)
(Thread continues...)