Threaded Mode | Linear Mode

Siamesecat · Sep. 08, 2005, 07:34 AM

I have some questions about this filter:

Code:

In = FALSE

Out = TRUE

Key = "URL-Killer: Kill Suspicious Extensions [Kye-U] (Out)"

URL = 

"(^$LST(KBSP))(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|

md)|vb(e|s|)|s(cr|hs)|p(if|cd)|ad(e|p)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c))(*)\1

$TST(\1=(^/))"

Match = "*&($CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nAllow connection to the URL 

below?\n\n\u\n\1\3)|$SET(1=Connection to Suspicious Extension Killed$ALERT(Connection to 

Suspicious Extension Killed:\n\n\u)\k)$SET(3=))"

Replace = "\1\3"

To shorten the match line slightly, why not reword "Connection to Suspicious Extension"
to "URL with Suspicious Extension"?

Why have both a confirmation box and an alert box? If one answers no to the question,
one would expect the connection to be killed, so why bother with the alert message?
What are the values of \1 and \3 if the response is yes?

In the extension list, why block .pcd files? What is so dangerous about Kodak Photo CD
pictures? Why block .msp? From what I could find out, it is a kind of bitmap picture.

***Kye-U*** · Sep. 08, 2005, 06:52 PM

I've used the file extensions list from:

http://www.lancs.ac.uk/iss/a-virus/banned.htm

I will release v4.44 with some minor fixes to the filter. (Remove the alert box, reword the message)

Siamesecat · Sep. 09, 2005, 06:08 AM

Kye-U,
That is an interesting list. Apparently, some extension names have more than one meaning.

What about the values of \1 and \3 in the match? Why is \3 needed? What would its value be if the answer to the question about allowing the connection is yes?

***Kye-U*** · Sep. 09, 2005, 06:58 PM

\3 is needed because you either accept or deny the connection. (Deny is \1, which kills the connection).

\3 is blank deliberately so that no action will be taken so that the connection can take place. (\3 represents the acception of a connection).

I hope this clears things up Smile!

***Kye-U*** · Sep. 09, 2005, 07:49 PM

Version 4.44 is Released!

Last Updated: September 9th, 2005 - 4:50 PM EST

What's New?

Quote:[-Version 4.44-]

-Added (Mozilla: "Host:" Buffer Overflow Exploit [Kye-U])
http://security-protocols.com/advisory/s...visory.txt
http://secunia.com/advisories/16764/

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Removed Alert Box (when connection killed), and reworded the message.

http://www.prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: F84B03EE3789EB53B518FB0E59B61B9F

Siamesecat · Sep. 10, 2005, 05:24 AM

Quote:(Deny is \1, which kills the connection).

\3 is blank deliberately so that no action will be taken so that the connection can take place. (\3 represents the acception of a connection).

Have I misunderstood the logic then? I thought that "yes" skipped the "$SET" commands after the "|" and went directly to the Replace, whereas "no" went on to what comes after "|". In the case of a yes answer, either \1 or \3 must be the URL, but which one, and what is the value of the other one?

nxIsle · Sep. 10, 2005, 07:11 AM

Kye-U, if you keep this up, I'm going to wear out the T, h, a, n, k, and s keys on my keyboard.

You were fast with the 'Mozilla: "Host:" Buffer Overflow Exploit' ... w f ... my eybo d i ' wor i g Shock

I gue I'll h ve o y "merci" i e d! Rocker

***Kye-U*** · Sep. 10, 2005, 10:46 PM

Siamesecat: You're right Eyes Closed Smile

I have removed the \3 variable and I will release v4.45 when there's a new exploit discovered.

The Header Match now looks like:

Code:

*&($CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nAllow connection to the URL below?\n\n\u\n\1)|$SET(1=URL with Suspicious Extension Killed\k))

nIsle: Thanks Smile!

I haven't been flooded with work for school yet, but as time progresses, it is inevitable it will. Sad

Siamesecat · Sep. 11, 2005, 05:26 AM

Kye-U,

Don't forget the replacement. It does not need the extra variable either.

***Kye-U*** · Sep. 14, 2005, 01:27 AM

Version 4.45 is Released!

Last Updated: September 13th, 2005 - 10:30 PM EST

What's New?

Quote:[-Version 4.45-]

-Added (IDN Spoof Exploit [non-troppo] {Kye-U})
--Old exploit; added to kill connection
http://www.shmoo.com/idn/homograph.txt

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Removed unnecessary variable

-Modified (! Enable Security Alerts (Out) [z12])
--Renamed to (! Enable KBSP Security Alerts (Out) [z12]) for clarity

-Removed (! : Redir: IDN Exploit - Show real URL I [sd] (In))
--Due to (IDN Spoof Exploit [non-troppo] {Kye-U})

-Removed (! : Redir: IDN Exploit - Show real URL II [sd] (Out))
--Due to (IDN Spoof Exploit [non-troppo] {Kye-U})

http://www.prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: B7045A1E30403CD60D42A30E0B64FF7D

***Kye-U*** · Sep. 14, 2005, 01:38 AM

Added (IDN Spoof Exploit [non-troppo] {Kye-U}) because some links were not caught by my spoofed address filter, and Sidki's header filter just reveals the URL, but doesn't kill it.

Example:

http://my.opera.com/community/forums/top...ment827533

The last post on that page.

Siamesecat · Sep. 14, 2005, 06:01 AM

Kye-U,
Why do you need to filter these spoofed character links?
I have been told that IE will not handle those characters anyway. Mozilla browsers display the domain names in such a manner to make it obvious that something is not what it appears to be. That leaves Opera. I do not know what it does with those addresses.

IntellectArsenal · Sep. 14, 2005, 09:01 AM

Newbie question:
After installing Kye-U's Browser Security Pack v4.44 for the first time, Proxomitron detects the JS Exception, attributed to http://a.as-us.falkag.net/dat/dlv/aslmain.js, on http://online.tvguide.com/listings. I don't have MSJava installed, so should I care about this notification? Should I poke the webmaster about the issue? Should I open another bottle of this very pleasant Coppola Black Diamond Reserve, or just call it a night?

Please accept my preliminary gratitude for any assistance provided herein.

***Kye-U*** · Sep. 14, 2005, 06:58 PM

Siamesecat, that filter is just to catch whatever links get past my Spoofed Address filter. It should've been a Header filter, but I wanted it to notify the user that an IDN Spoof has been killed.

IntellectArsenal, thank you for that. I have made the filter more specific (so that it only matches code=$AV(com.ms.activeX.ActiveXComponent))

I will release 4.46 later today.

***Kye-U*** · Sep. 15, 2005, 12:36 AM

Version 4.46 is Released!

Last Updated: September 14th, 2005 - 9:40 PM EST

What's New?

Quote:[-Version 4.46-]

-Modified (IE: JS Exception Exploit [Kye-U])
--Fixed False Positive

http://www.prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: C16B09A2ED1180E8B3D454AED19F5560