Browser Security Pack

[Kye-U]

Version 4.16

Last Updated: July 30, 2004 - 4:36 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download: http://prxbx.com/forums/index.ph...pe=post&id=1115

-Added (Mozilla Force XPI Install Remover [Kye-U])
http://forums.mozillazine.org/viewtopic.php?t=64341

-Added (Mozilla: XUL Remover [Kye-U])
http://secunia.com/advisories/12188/

-Modified (Kill Nosy JavaScripts [Scott L.] {Modified by Siamesecat})
--Fixed false positive

[Kye-U]

Version 4.17

Last Updated: August 18, 2004 - 2:00 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download: http://prxbx.com/forums/index.ph...pe=post&id=1115

What's New?

-Modified (IE: Search/Media-Pane Injection Exploit [Kye-U])
--Fixed False Positive

[redskin_one]

Downloaded and merged ok
Opera v7.54

[Kye-U]

Redskin_one, Glad to hear that!

Version 4.18

Last Updated: August 24, 2004 - 6:32 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download: http://prxbx.com/forums/index.ph...pe=post&id=1115

What's New?

-Modified (IE: "Shell" Cross Zone Exploit [Kye-U])
--Made it also filter "res"
--Renamed to (IE: "Shell"/"Res" Cross Zone Exploit [Kye-U])

Updated with this exploit in mind:
http://securityfocus.com/bid/10943/discussion/

[Kye-U]

Version 4.19

Last Updated: August 26, 2004 - 5:26 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download: http://prxbx.com/forums/index.ph...pe=post&id=1115

What's New?

-Added (location.href Replacer [Kye-U])
--Replaces "location.href" with "Location.Href"
--"Location.Href" serves same function, but is less prone to being
malicious

-Modified (IE: Active Scripting Exploit [Kye-U])
--Fixed False Positive

-Modified (IE: "Shell" Cross Zone Exploit [Kye-U])
--Fixed False Positive(s)

-Removed (IE: Search/Media-Pane Injection Exploit [Kye-U])
--Too many False Positive(s)

[Kye-U]

Foraccess2001_From_Prox-List@YahooGroups Wrote:Kye-U, the filter I saw the code in was one of yours:

Prevent file access [Siamesecat] {Modified by Kye-U}

It's there twice. Also the two instances of: (c|d|e|f)
should be changed to [a-z] since there's nothing limiting people to
only having those four drive letters. I currently have 3 drive
letters between G & Z!

As we know, that would cause many false positives.

Maybe we can find a way to modify the filter so that it will only match when it's like "...href="C:\"" and not like "...href="ed2k://..."".

Siamesecat, can you give some ideas?

[Siamesecat]

This is from Browser Security Pack version 4.18:

Code:

Name = "Iframe File Exploit [Kye-U]"
Match = "*src\=$AV(*.(CMD|CPL|CRT|DLL|HTA|INF|INS|ISP|JS|JSE|LNK|MSC|MSI|OCX|PIF|REG|SCR|SCT|SHB|SHS|SYS|VBE|VBS|WSC|WSF|WSH))*"

Why is the equal sign escaped?

Code:

Name = "IE: Search/Media-Pane Injection Exploit [Kye-U]"
Match = "(\"|\'|\(|\=)(^a-z0-9+)_(search|media)(\"|\'|\)|)"

I don't quite understand the match. There is no need to escape quotation marks. Do you mean that there may be ", ', (, or = followed by something that is not a letter, number, or plus sign followed by underline, etc.? In that case, the expression (^a-z0-9+) should be [^a-z0-9+].

Code:

Name = "IE: showHelp() Exploit [Kye-U] {Modified by Siamesecat}"
Match = "(showHelp \(|chm::|""
""880a6-d8ff-11cf-9377-00aa003b7a11)"

Too many quotation marks in the match!

Code:

Name = "Mozilla Force XPI Install Remover [Kye-U]"
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vb))"

The third $TYPE should be $TYPE(vbs), which is not necessary anyway since Mozilla does not use VB Script.

[Oddysey]

Siamesecat;

Quote:CODE
Name = "Mozilla Force XPI Install Remover [Kye-U]"
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vb))"


The third $TYPE should be $TYPE(vbs), which is not necessary anyway since Mozilla does not use VB Script.

I think I'd leave that one in. In fact, I'd include both possibilities, like this: $type(vb(|s)) The reason? Sure, Mozilla may ignore vb or vbs, but what if some bright young "bastid" decides to make a multiple extension file? Better to trap all the possibilities, even if some of them might be redundant, no? <_<


Oddysey

Has this fred really gone for 187 postings before I finally had something valid to contribute?? :o [lol]

[Siamesecat]

Quote:As we know, that would cause many false positives.

(Reference to (c|d|e|f))

Quote:Maybe we can find a way to modify the filter so that it will only match when it's like "...href="C:\"" and not like "...href="ed2k://..."".

Siamesecat, can you give some ideas? happy.gif[happy.gif]

I would suggest that people edit the drive letter possibilities to suit their own needs. To safeguard whatever drives you wish, that would be best. Does Prox even handle the protocol "ed2k://"? If not, why worry about it?

[Siamesecat]

Oddysey,

Quote: I'd include both possibilities, like this: $type(vb(|s)) The reason? Sure, Mozilla may ignore vb or vbs

What is the difference between vb and vbs? I don't see $TYPE(vb) mentioned in the help file for Prox. Are there some hidden $TYPEs that were not listed?

[Siamesecat]

I had another thought about the ed2k:// problem. If it is likely to be a major problem, you could modify the filter like this:

Code:

Name = "Prevent file access [Siamesecat] {Modified by Kye-U}"
Match = "*((GetObject|open)\w|)[^2]([c-z]:([\\]+{1,*})(*|)|"
"(file://(/|)|(res|shell):|)[^2][c-z](:|\|)([/]+{1,*})(*|)|"
"document.open|uploadFile=)*"

[Kye-U]

Version 4.20

Last Updated: August 27, 2004 - 4:06 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

Download: http://prxbx.com/forums/index.ph...pe=post&id=1115

What's New?

-Modified (Prevent file access [Siamesecat] {Modified by Kye-U})
--Fixed False Positive and made match more generic (matching drives A-Z)

-Modified (IE: showHelp() Exploit [Kye-U] {Modified by Siamesecat})
--Made match more clearer

-Modified (Mozilla Force XPI Install Remover [Kye-U])
--Changed $TYPE(vb) to (^$TYPE(css))



Siamesecat, I've modified Prevent file access [Siamesecat] {Modified by Kye-U}:

Quote:[Patterns]
Name = "Prevent file access [Siamesecat] {Modified by Kye-U}"
Active = TRUE
Bounds = "<(a|img|input|(no|)script|applet|object|area)\s*>"
Limit = 1000
Match = "*((GetObject|open)\w|)[^a-z0-9]([a-z][\\]+{1,*})(*|)|"
"(file://(/|)|(res|shell))[^a-z0-9][a-z](\|)([/]+{1,*})(*|)|"
"document.open|uploadFile=)*"
Replace = "File Access Removed!"

[Oddysey]

Siamesecat;

Quote:What is the difference between vb and vbs?

About the same difference as there is between htm and html - nada. It's just to cover all the known bases, that's all.

Quote:I don't see $TYPE(vb) mentioned in the help file for Prox. Are there some hidden $TYPEs that were not listed?

Not that I know of. However, that is the beauty of Proxo, it's almost infinitely extendable. Just about anything new on the scene can be taken care of, with properly written filters.


Oddysey

[sidki3003]

"$TYPE(vb)" doesn't do anything, really.
That command just has arguments (five - hardcoded) akin to file extensions because Scott arbitrarily chose them that way.
For this reason "$type(vb(|s))" does the same as "$FILTER(banana)".
Also, Proxomitron commands need to be written upper case.
You'll find out about this - and much more - when reading the friendly manual.

sidki

[Oddysey]

sidki;

Quote:"$TYPE(vb)" doesn't do anything, really.
That command just has arguments (five - hardcoded) akin to file extensions because Scott arbitrarily chose them that way.
For this reason "$type(vb(|s))" does the same as "$FILTER(banana)".
.....
You'll find out about this - and much more - when reading the friendly manual.

I clicked that link, and found nothing that isn't already in the Help file included with Proxo. Soooooo...... correct me if I'm wrong here, but I think that what I'm seeing directly contradicts what you're saying. It sure looks to me like the fourth 'type' down on the list is none other than 'vbs'. In addition, we can also use 'oth' for other types, presumably for future use.

Knowing that you're not located in the USA, I'll explain for you a short phrase that is somewhat popular here in the States. An old radio announcer named Paul Harvey used to keep listeners in suspense by saying, "And now.... for the rest of the story". It was his way of making sure people would continue to listen, instead of changing channels. Many Americans use this phrase, or some variation thereof, in everyday conversation. Now you'll understand when I ask you, "Sidki, can you please give us 'the rest of the story'"?

Thanks.


Oddysey