New 0-Day Exploit - SANS Internet Storm Center
Results 1 to 5 of 5

Thread: New 0-Day Exploit - SANS Internet Storm Center

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Exclamation New 0-Day Exploit - SANS Internet Storm Center

    Hello all-

    My apologies if this is already posted, I did a search here and found nothing.

    The SANS Internet Storm Center, ISC, just released information on a new Internet Explorer 0-Day Exploit. Just nominal information right now:

    Link: http://isc.sans.org/

    Story so far:
    Handler's Diary November 21st 2005

    previous -

    * Internet Explorer 0-day exploit (NEW)
    Published: 2005-11-21,
    Last Updated: 2005-11-21 15:54:56 UTC by Johannes Ullrich (Version: 1)

    the UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.

    The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.

    Impact:
    Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).

    Mitigation:
    Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.

    Open Questions:
    We are not sure if paramters can be passed to the executable. If so, the issue would be much more severe.

    Please monitor this diary for updates.
    edit

    http://isc.sans.org/diary.php?compare=1&storyid=874

    Updated version and exploit news - it's up to version 4, in terms of updates from the SANS ISC now.

    /edit
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Since we're all about full disclosure around here..

    Here's the PoC if anyone wants to check it out

    http://www.frsirt.com/exploits/20051...Window0day.php


    FrSIRT Advisory Info

    Technical Description

    A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to JavaScript "window()" objects and "body onload" tags, which could be exploited remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page.

    This vulnerability has been confirmed on Windows XP SP2 with Internet Explorer 6 (fully patched).

    Exploits

    http://www.frsirt.com/exploits/20051...Window0day.php

    Affected Products

    Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP2
    Microsoft Internet Explorer 6 for Microsoft Windows XP SP1
    Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
    Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4

    Solution

    The FrSIRT is not aware of any official supplied patch for this issue.

    Disable Active Scripting in Internet Explorer :

    1. Start Internet Explorer.
    2. On the Tools menu, click Internet Options.
    3. On the Security tab, click Custom Level.
    4. In the Settings box, click Disable under Active scripting.
    5. Click OK, and then click OK.

    References

    http://www.frsirt.com/english/advisories/2005/2509
    http://www.frsirt.com/english/reference/1111

    Credits

    Vulnerability originally reported by Benjamin Tobias Franz and exploited by Stuart Pearson

    ChangeLog

    2005-11-21 : Original Advisory
    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    new snort sig

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Microsoft Internet Explorer Window() Possible Code Execution"; flow:established,from_server; content:"window"; nocase; pcre:"/[=\:'"\s]window\s*\(\s*\)/i";
    reference:url,secunia.com/advisories/15546; reference:cve,2005-1790; classtype:attempted-user; sid:111199999; rev:1; )

    credit and thanks to Blake Hartstein @ Demarc Security for the fast signature on this!
    That which does not kill me makes me stronger -- Friedrich Nietzche

  4. #4
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    INFOCON Just Went Yellow!

    FYI - Follow the links from my previous post if you wish. Here's the updated story from SANS ISC:

    Changed Infocon status to Yellow, re: Windows Internet Explorer vulnerability (NEW)
    Published: 2005-11-21,
    Last Updated: 2005-11-21 21:20:36 UTC by Mike Poor (Version: 1)

    Infocon has been raised to Yellow due to the exploit being publicly available, combined with the lack of a patch for this specific vulnerability. Disable Javascript in your Internet Explorer browsers, or switch to another browser. We have received reports that Safari suffers from a DOS condition, but I have not been able to replicate it with Safari running on 10.3 or 10.4 series OSX machines.

    Mike Poor
    Handler on Duty
    Intelguardians
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  5. #5
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    UPDATE: You may wish to check this out.

    Hello all-

    In getting back to the office today, I checked with ISC to see if there were any updates on this topic. There is, and there is also a little check at the top of the page to see if you are vulnerable - it's wording:

    Over the last hour, 43 % of the visitors to this site were vulnerable to the Internet Explorer 0-day exploit. (result based on browser version and javascript enabled)
    You are considered [results from your PC/server posted here]
    Also, there are some theories about Microsoft getting patches out for this exploit. Other news they post include Firefox 1.5 released, Java SDK & JRE Updates, and for the hippies and artsies, Apple has a security update.

    In case you can't or won't scroll up, here's the link again: http://isc.sans.org/
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •