Post Reply 
Browser Security Pack
Jul. 05, 2004, 02:07 AM
Post: #31
 
In the security filter set, many of the names of the filters are no help to my understanding what they are doing. I am really struggling to understand some of this stuff:

"Defuse IE6 Crash - Absolute CSS Bug"
Match = "(<span\s*)\0</div>&(^*</span>)"
Replace = "\0</span></div>"

Presumably there is a <div tag included within the wildcard following the <span tag, otherwise the author has made another error in coding (in addition to omitting the </span> tag). In that case, the replacement would create a structure like "<span * <div * </span></div>", which fouls up the nesting of the tags. Have I misunderstood the whole idea, or what?


"Force Frame Exploit [Kye-U]"
URL = "(^($TYPE(css)|$TYPE(txt)))"
Bounds = "$NEST(<iframe,>)"
Match = "*(.(EXE|CMD|CPL|CRT|DLL|HTA|INF|INS|ISP|JS|JSE|LNK|MSC|MSI|OCX|PIF|REG|SCR|SCT|SHB|SHS|SYS|VBE|WSC|WSF|WSH))*"

What is being forced is execution of something within an iframe, not the frame itself, so why the name?
When was $TYPE(txt) introduced? According to the help file from Naoko 4.5, the types allowed are:
htm - Web pages
css - Cascading style sheets
js - JavaScript
vbs - VB Script
oth - Anything else


Name = "IE: Active Scripting Exploit [Kye-U]"
Match = "*oWin.document.*"

What is being attempted? What does the "o" in front of "Win.document" do?


Name = "IE: Classic Folder View Exploit [Kye-U]"
Match = "ftp://*((%([a-z][0-9]|[0-9][a-z]))+{1,*}).*"

Why use [a-z] in the match when it is a hexadecimal number being sought? Hexadecimal uses a-f, not a-z.


Name = "IE: Cross-Domain Policy Exploit [Kye-U]"
Bounds = "$NEST(<script,</script>)"
Match = "*(A|C|D|E|file):/*"

The sample exploit given by Wilders would not be caught by this filter because it is within anchor tags, not script tags.
I wrote a filter to stop such things:
[Patterns]
Name = "Prevent file access by script or anchor"
Active = TRUE
Bounds = "<(a|(no|)script|applet|object)\s*>"
Limit = 510
Match = "*((GetObject|open)\w|)((a|c|d|e|f):\\(*|)|(file://(/|)|)(a|c|d|e|f)(No Expression\|)/(*|)|"
"document.open|uploadFile=)*"
Replace = "BAD SCRIPT!"


Name = "IE: Cookie Stealing Exploit [Kye-U]"

Scott's Nosy Javascript filter would stop this.


Name = "IE: JS Exception Exploit [Kye-U]"
Bounds = "$NEST(<script,</script>)"
Match = "*{????????-????-????-????-????????????}*"

This filter would stop more than one exploit. In fact, it should stop any script which uses a CLSID, right?


Name = "IE: Restricted Cookie Exploit [Kye-U]"
Match = "\0://\1/*/((%([a-z][0-9]|[0-9][a-z]))+{2,*})*\?*\=*"

What is a restricted cookie? I cannot find an explanation of this one. What is the match looking for, besides an ASCII code in hexadecimal format?


Name = "IE: Target Frame (Prevents Hijacking of Microsoft) [Kye-U]"

Does this mean that a frame from Microsoft is being injected into another page, or that a frame from somewhere else is injected into a Microsoft page?


Name = "IE: View-Source Exploit [Kye-U]"
Bounds = "$NEST(<img,>)"
Match = "*view-source:*"

Why does this have to be within img tags? The example accessed from Secunia has anchor tags, not image tags.


Name = "Mozilla: Javascript Exploit [Kye-U]"
Name = "Mozilla: 0-Width GIF Exploit [Kye-U]"

What do these exploits do, exactly?
Add Thank You Quote this message in a reply
Jul. 05, 2004, 02:15 AM
Post: #32
 
Thank you for pointing those out.

I will look over all the filters again and try to fix as many as I can and put out a new one.
Visit this user's website
Add Thank You Quote this message in a reply
Jul. 05, 2004, 02:54 AM
Post: #33
 
Quote:Name = "IE: Restricted Cookie Exploit [Kye-U]"
Match = "\0://\1/*/((%([a-z][0-9]|[0-9][a-z]))+{2,*})*\?*\=*"

What is a restricted cookie? I cannot find an explanation of this one. What is the match looking for, besides an ASCII code in hexadecimal format?

http://secunia.com/advisories/9680/

Quote:Name = "IE: Target Frame (Prevents Hijacking of Microsoft) [Kye-U]"

Does this mean that a frame from Microsoft is being injected into another page, or that a frame from somewhere else is injected into a Microsoft page?

That stops a third-party page from injecting a page with possible malicious coding into any Microsoft frame.

Quote:Name = "IE: Active Scripting Exploit [Kye-U]"
Match = "*oWin.document.*"

What is being attempted? What does the "o" in front of "Win.document" do?

http://www.greymagic.com/security/advisories/gm012-ie/

I'm including brief INFO tags in some of the filters. I hope that helps.

Thanks for all the things that are incorrect/questionable. I'm taking them into serious consideration/rewriting some of the filters. Wink
Visit this user's website
Add Thank You Quote this message in a reply
Jul. 05, 2004, 08:15 AM
Post: #34
 
Thanks for the explanations. I am still not clear about the "o" in front of the name of an element in a script. Does that label it as a particular type of object, such as one with special privileges or security status?
Add Thank You Quote this message in a reply
Jul. 05, 2004, 10:53 AM
Post: #35
 
Kye-U Wrote:ProxRocks, Jaded_Goth, please post your findings Eyes Closed Smile

Will do,Kye-U.

Have only just d/l'd the new,improved config.Hence,I have not merged it yet.

For purposes of enlightenment,and research:

I will first post screenshots of what I assume were false positives yesterday.No big deal,since I was running Mozilla,which in itself *may* have influenced matters.

I will then load the current config,return to the sites which threw the false-positives,and see what happens as a result..

Gosh..that won't be interminably tedious and boring for you,will it?

First alert:On attempting to view a single posting at cexx.org (weird,since no other posting triggers an alert.

????,??,????`????,? _J_G_ ????,??,????`????,?
Add Thank You Quote this message in a reply
Jul. 05, 2004, 10:56 AM
Post: #36
 
Second alert,most probably triggered by malware references on the site webhelper4u.com.

See you later.Have a great day folks.

????,??,????`????,? _J_G_ ????,??,????`????,?
Add Thank You Quote this message in a reply
Jul. 05, 2004, 03:15 PM
Post: #37
 
O.K. so,I merged the new config.

I then returned to both locations that triggered the alerts yesterday.Firstly,I revisited the sites with Mozilla Firefox.

Identical alerts were triggered.

Then,full of courage and a measure of bravado (heh) I returned to cexx and webhelper4u.com running Internet Explorer!

Again,identical alerts.I have only uploaded the I.E. screenshot,just to prove I really did that!!

It is most likely I have misconfigured Proxomitron in some subtle way,that I do not as yet have the experience to define.

Alternatively,since those sites actively fight to stem the exponential deluge of malware:Bad code *may* have been uploaded to them?-over to the experts to check that out.

I'm thinking more along the lines of this being a case of Proxo being acutely sensitive,and perhaps the html links within the HijackThis! logs on cexx.org were enough to make him spring to my defence.

Ta-ta for now.

????,??,????`????,? _J_G_ ????,??,????`????,?
Add Thank You Quote this message in a reply
Jul. 06, 2004, 12:30 AM
Post: #38
 
Quote:Thanks for the explanations.&nbsp; I am still not clear about the "o" in front of the name of an element in a script.&nbsp; Does that label it as a particular type of object, such as one with special privileges or security status?

No problem Siamesecat Eyes Closed Smile

I believe so, but I'm not sure.

I haven't seen it in any script so far, and I assume that it's sort of like "view-source", since a variable refers to it.

Quote:I will first post screenshots of what I assume were false positives yesterday.

I will double-check (and fix the filters) if they're false matches Smile!

Thanks for those!
Visit this user's website
Add Thank You Quote this message in a reply
Jul. 06, 2004, 12:40 AM
Post: #39
 
The one on "Webhelper4u" is an actual Help Exploit link.

The one on "Cexx" is:

Quote:O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

Where the link includes: "C:\", of which my filter detects.

I will try to make "Cross-Domain Policy Exploit Filter" more specific, as Shea reported more false matches Eyes Closed Smile
Visit this user's website
Add Thank You Quote this message in a reply
Jul. 06, 2004, 02:57 AM
Post: #40
 
Siamesecat;

According to my manual on Hungarian notation, the lower-case 'o' prefix does indeed stand for 'object'.

Hungarian notation is a programmer's convention or protocol, used to assign easily understood prefixes and suffixes to variable names so that code can be read and understood by other programmers. Sadly, not very many coders use it anymore. Too bad, it makes code so much easier to read.

And FWIW, all Microsoft code, no matter what language it's written in, is required to use this protocol. Bill said so. Hail


Oddysey

I'm no longer in the rat race - the rats won't have me!
Add Thank You Quote this message in a reply
Jul. 06, 2004, 05:22 AM
Post: #41
 
Oddysey Wrote:Sadly, not very many coders use it anymore.&nbsp; Too bad, it makes code so much easier to read.
Thanks for clearing that up Eyes Closed Smile

So that means that wherever it is found today, it will be primarily for malicious usages.

BTW, my main computer's busy converting and burning a DVD, will upload the new pack tomorrow.
Visit this user's website
Add Thank You Quote this message in a reply
Jul. 06, 2004, 06:54 AM
Post: #42
 
I have been unable to find anything about a width=0 gif exploit for Mozilla. There was a problem with caching a lot of tiny images (if Moz was instructed to load thousands of them), but that was with GDI designation, not width=0.
Add Thank You Quote this message in a reply
Jul. 06, 2004, 07:19 AM
Post: #43
 
Kye-U;
Quote:So that means that wherever it is found today, it will be primarily for malicious usages.
Your comment could be taken two ways - either seriously, or in jest. Sometimes I'm not too sure about you, being Canadian and all. :o <_< Big Teeth [lol]

Since you didn't use any kind of smilie, let alone a funny one, I'll be serious for a moment (but only for a moment), and state unequivocally that no, the use of Hungarian notation does not mean that the coder is malicious by default. In point of fact, the coder who followed the proper naming protocol has been victimized by a script kiddie, that's all. Said script kiddie merely glommed onto a document explaining how a code module was made, then turned it into an exploit and dumped it out onto the 'Net.

What happened underneath the surface of all this is that the document of explanation "leaked" into the wrong hands - it should have never been exposed to the outside world. It then becomes obvious that if the exploit in question requires the use of "oWin.document", then that's what had to be typed, no two ways about it - the explanation said so. The exploited routine simply won't recognize any other wording. If it did, then likely the exploit would be much more serious, and would have been found sooner, don't you think?

And now, back to our regularly scheduled fun and games, already in progress! Smile! [smoke]


Oddysey

I'm no longer in the rat race - the rats won't have me!
Add Thank You Quote this message in a reply
Jul. 06, 2004, 08:25 AM
Post: #44
 
http://secunia.com/advisories/7077/

Quote:If a malformed zerowidth gif is created, it can cause a heap overflow, which may allow execution of arbitrary code.

Siamesecat, that is an odd exploit I must admit. I think that it is best that it is filtered. Just go to http://www.msn.com and look at the 0-width GIF on it. [rolleyes] (What is Microsoft trying to do?)

Oddysey, I must admit that users with good intentions with the oWin code are being cheated of that feature by cruel people (who are populating most of the Internet).

I think that Secunia, and older vulnerability sites should converse privately with the companies whose product(s) are under risk. This way, script kiddies, advertising companies, or just ordinary hackers/people who gain some sort of perverted pleasure of crashing/glitching the specific program won't be able to access knowledge on it, therefore minimizing the chances of stroke/annoyance/spyware/virus/crashes/heart attack/loss of hair/divorce/broken glass/shouting a profanity in frustration loudly while a child is in the room, etc. Many problems can be solved if the vulnerability information is transferred privately.

I agree with you fully, and my filter may be filtering out what a user, with good intentions may have used for his/her website, but in these modern and desperate times, we need to sacrifice something.

You may take the filter out if you wish, I won't come over and chastise you with a broomstick Pervert

Updated File on July 5th, 2004 - 4:49 AM EST

Includes fix for new exploit: http://www.securiteam.com/windowsntfocus...1FDFM.html

BTW: 1 more member to make 100!!!
Visit this user's website
Add Thank You Quote this message in a reply
Jul. 06, 2004, 05:02 PM
Post: #45
 
I was the 1000 poster! Thank you very much!!! Big Teeth

�{=(~�::[Shea]::��~)=}�
How 'bout you sideburns, you want some of this milk?
This fading text is pretty cool, eh? I bet you wish you had some.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: