Threaded Mode | Linear Mode

Siamesecat · Jul. 15, 2004, 08:30 AM

Code:

Name = "Invisible Object Tag [Kye-U]"

Match = "*(WIDTH|HEIGHT)\=$AV(0)*"

Replace = "\0\1"

 "$ALERT(Invisible Object Tag Detected and Removed on:\n\n\u)"

What problem does this cause? I cannot find any reference to it.

If variable \1 is not matched to anything, what use is it in a replacement? Why is the backslash in front of the equal sign?

Siamesecat · Jul. 15, 2004, 09:44 AM

Code:

Name = "IE: Favorites Read Exploit [Kye-U]"

Match = "*clsid:55136805-B2DE-11D1-B9F2-00A0C98BC547*"

I couldn't find the reference for this exploit either. That CLSID is the Shell Name Space, which I gather gives an Explorer tree view of a folder or directory. Could this not be used to read directories other than Favorites?
Those three links to Secunia, Wilders, and GreyMagic don't have all the exploits in the new set of filters listed. Where are the rest described?

Siamesecat · Jul. 15, 2004, 11:17 AM

Code:

Name = "Mozilla: Arbitrary Script Execution Exploit [Kye-U]"

Match = "*\(*.classes\)*"

What does .classes do? Where is the description of this exploit? I am finding search engines almost useless for finding this type of information.

***ProxRocks*** · Jul. 15, 2004, 11:33 AM

Boy, S'cat... Aren't you quite the skeptic... Smile!

***Kye-U*** · Jul. 15, 2004, 07:17 PM

Updated on July 15 - 3:11 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

And Siamesecat, in your first post, The replacement "\0\1" was a mistake on my side.

Second post, I renamed the filter.

Third post, I suspect it can execute a malicious script that executes when the link, or certain script including "*.classes" is opened.

I got all of the new additions from http://www.wilderssecurity.com/showthread.php?t=11975

I do not know where Peakaboo got those exploits, but I will try to ask him.

Siamesecat · Jul. 15, 2004, 09:43 PM

Quote: Boy, S'cat... Aren't you quite the skeptic...

I am not skeptical, but curious. I really want to understand what the exploits do and how the filters prevent it. It is frustrating when I can't locate the information.

***Kye-U*** · Jul. 15, 2004, 10:18 PM

Last Updated: July 15, 2004 - 6:17 PM EST

http://prxbx.com/forums/index.ph...=10&t=131&st=0#

-Fixed False Matching Filter (IE: Active Scripting Exploit [Kye-U])

***Kye-U*** · Jul. 15, 2004, 10:48 PM

Siamesecat:

Name = "Invisible Object Tag [Kye-U]"

http://www.finjan.com/mcrc/demos/activex.cfm

Name = "IE: Favorites Read Exploit [Kye-U]"

http://www.securityfocus.com/bid/9108/discussion/

Name = "Mozilla: Arbitrary Script Execution Exploit [Kye-U]"

http://www.securityfocus.com/bid/9329/discussion

------

Looks like another site to add to the list is http://www.securityfocus.com/

***Kye-U*** · Jul. 15, 2004, 11:04 PM

Last Updated: July 15, 2004 - 7:02 PM EST

http://prxbx.com/forums/index.ph...=10&t=131&st=0#

-Added Filter (window.MoveBy [Kye-U])
http://www.securityfocus.com/bid/9108/discussion/

***Kye-U*** · Jul. 15, 2004, 11:11 PM

Last Updated: July 15, 2004 - 7:09 PM EST

http://prxbx.com/forums/index.ph...=10&t=131&st=0#

-Modified Filter (Mozilla: Arbitrary Script Execution Exploit [Kye-U]) to filter a larger amount of data.
http://bugzilla.mozilla.org/attachment.cgi...712&action=view

BTW, expect a larger pack tonight, I'm going to work on the exploits for browsers here:
http://www.securityfocus.com/bid/title/

Siamesecat · Jul. 15, 2004, 11:15 PM

Code:

Match = "*(WIDTH|HEIGHT)\=$AV(0)*"

Why escape the equal sign?

***Kye-U*** · Jul. 16, 2004, 01:32 AM

Siamesecat Wrote:

Code:

Match = "*(WIDTH|HEIGHT)\=$AV(0)*"
Why escape the equal sign?

Thank you

I have updated it, and it will be in the next pack.

Siamesecat · Jul. 16, 2004, 08:07 AM

Quote:Name = "IE: Favorites Read Exploit [Kye-U]"

http://www.securityfocus.com/bid/9108/discussion/

Sorry if I seem dense, but this seems to be about mouse click hijacking, and I don't see the connection with displaying a directory tree.

Quote:Name = "Invisible Object Tag [Kye-U]"

http://www.finjan.com/mcrc/demos/activex.cfm

This was called the ActiveX Control Demo on that page.
Is it the "WIDTH=0 HEIGHT=0" in the demo that causes the mischief, or is it the "CLSID:86CEEAFA-AE5C-11D4-A4C8-00A0C9E79206" ? What does that CLSID do?
The only references I can find simply call it the "ActiveX Demo Control". The demo does very little on my system and I didn't install that filter.

***Kye-U*** · Jul. 16, 2004, 08:23 AM

Siamesecat, a new pack is going to come out tomorrow.

I've added another filter that takes care of the Mouse Click Hijacking.

I don't know about you, but I don't like things I can't see but I know they are there. Just like itches that seem to move to another spot immediately when you attempt to scratch it away.

Whelp, it's 4:21 AM here. Enough work on the pack, time for my sleep. Tomorrow I have phisio for my elbow...

Siamesecat, thanks for your questions. While some people think it's annoying, I find that they help me by finding typos/proper matches/etc. They help perfect the pack Smile!

I'm preparing a very ordered and detailed ChangeLog...just for you :P

***Kye-U*** · Jul. 16, 2004, 09:55 PM

I'm now in the process of self-evaluating my pack, meaning I surf around on the Internet, and look for any false matches.

I should be done testing it in around 1 hour from the time this post was posted Eyes Closed Smile