Full Disclosure mailing list archives
Re: Is there a 0day vuln in this phisher's site?
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Sun, 30 Jan 2005 09:41:00 -0800
if you mean http://www.exploitlabs.com/urlbar.html ... then I sent MS an advisory of this... they are working on a patch. funny... i just noticed my first PoC of this is dated 08/27/04 ( http://www.kb.cert.org/vuls/id/490708 ) is dated 2001 !!! MS response #1 Thank you for sending this report. We're currently investigating this issue, however it looks to be a duplicate of other UI spoofing issues that have been posted. For reference please see the below: http://freehost07.websamba.com/greyhats/dlwinspoof-menu.htm We've worked to address this update in XPSP2 by default in the Internet Zone, and the option exists to enable this mitigation for other zones via the registry or group policy. Please let me know if you issue is a separate vulnerability from the one listed above. MS response #2 Donnie, Thank you for the explanation. I've been doing more research, and it seems that while the proof-of-concept you've provided is different than the one from Greyhats I sent earlier, it still seems that this is a known issue originally discovered by Georgi Guninski and Andrew Clover. I've found a US-CERT Alert on the malicious use of chromeless windows to spoof UI linked below and a CVE entry. I think this is the same issue, if its not please let me know the difference and I apologize for the confusion. We are tracking this issue and working to resolve it. So far the first public fix for this is in XPSP2. You may also look at the Windows Server 2003 SP1 Release Candidate as that should include the mitigations for this issue as well. http://www.kb.cert.org/vuls/id/490708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1410 soo...
So have I. Not to diminish the importance of the attack, but this assumes the default placement of Address Bar if I'm not mistaken, so if the user changes their toolbar layout the popup will give itself away, correct?
possibly yes... tested 1. win2k ie6 default bar position - YES 2. winXPsp1 ie6 non default bar position - locked - YES 3. winXPsp2 ie6 default bar position - NO my example provided is different in effect than the MS provided PoC link, but they use the same type of coding cheers, Donnie Werner _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Is there a 0day vuln in this phisher's site? lists-security (Jan 29)
- RE: Is there a 0day vuln in this phisher's site? Paul Kurczaba (Jan 29)
- RE: Is there a 0day vuln in this phisher's site? lists-security (Jan 29)
- Re: Is there a 0day vuln in this phisher's site? morning_wood (Jan 30)
- Re: Is there a 0day vuln in this phisher's site? Andrew Clover (Jan 30)
- RE: Is there a 0day vuln in this phisher's site? Larry Seltzer (Jan 30)
- Re: Is there a 0day vuln in this phisher's site? Thierry Zoller (Jan 30)
- Re: Is there a 0day vuln in this phisher's site? Andrew Clover (Jan 30)
- RE: Is there a 0day vuln in this phisher's site? lists-security (Jan 29)
- RE: Is there a 0day vuln in this phisher's site? Paul Kurczaba (Jan 29)