New 0-Day Exploit - SANS Internet Storm Center

Printable View

November 21st, 2005, 05:13 PM
genXer

New 0-Day Exploit - SANS Internet Storm Center

Hello all-

My apologies if this is already posted, I did a search here and found nothing.

The SANS Internet Storm Center, ISC, just released information on a new Internet Explorer 0-Day Exploit. Just nominal information right now:

Link: http://isc.sans.org/

Story so far:

Quote:

Handler's Diary November 21st 2005

previous -

* Internet Explorer 0-day exploit (NEW)
Published: 2005-11-21,
Last Updated: 2005-11-21 15:54:56 UTC by Johannes Ullrich (Version: 1)

the UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.

The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.

Impact:
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).

Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.

Open Questions:
We are not sure if paramters can be passed to the executable. If so, the issue would be much more severe.

Please monitor this diary for updates.

edit

http://isc.sans.org/diary.php?compare=1&storyid=874

Updated version and exploit news - it's up to version 4, in terms of updates from the SANS ISC now.

/edit
November 21st, 2005, 05:32 PM
HTRegz

Hey Hey,

Since we're all about full disclosure around here..

Here's the PoC if anyone wants to check it out

http://www.frsirt.com/exploits/20051...Window0day.php

FrSIRT Advisory Info

Quote:

Technical Description

A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to JavaScript "window()" objects and "body onload" tags, which could be exploited remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page.

This vulnerability has been confirmed on Windows XP SP2 with Internet Explorer 6 (fully patched).

Exploits

http://www.frsirt.com/exploits/20051...Window0day.php

Affected Products

Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP2
Microsoft Internet Explorer 6 for Microsoft Windows XP SP1
Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

Disable Active Scripting in Internet Explorer :

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Security tab, click Custom Level.
4. In the Settings box, click Disable under Active scripting.
5. Click OK, and then click OK.

References

http://www.frsirt.com/english/advisories/2005/2509
http://www.frsirt.com/english/reference/1111

Credits

Vulnerability originally reported by Benjamin Tobias Franz and exploited by Stuart Pearson

ChangeLog

2005-11-21 : Original Advisory

Peace,
HT
November 21st, 2005, 09:06 PM
S3cur|ty4ng31

new snort sig

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Microsoft Internet Explorer Window() Possible Code Execution"; flow:established,from_server; content:"window"; nocase; pcre:"/[=\:'"\s]window\s*$\s*$/i";
reference:url,secunia.com/advisories/15546; reference:cve,2005-1790; classtype:attempted-user; sid:111199999; rev:1; )

credit and thanks to Blake Hartstein @ Demarc Security for the fast signature on this!
November 21st, 2005, 10:31 PM
genXer

INFOCON Just Went Yellow!

FYI - Follow the links from my previous post if you wish. Here's the updated story from SANS ISC:

Quote:

Changed Infocon status to Yellow, re: Windows Internet Explorer vulnerability (NEW)
Published: 2005-11-21,
Last Updated: 2005-11-21 21:20:36 UTC by Mike Poor (Version: 1)

Infocon has been raised to Yellow due to the exploit being publicly available, combined with the lack of a patch for this specific vulnerability. Disable Javascript in your Internet Explorer browsers, or switch to another browser. We have received reports that Safari suffers from a DOS condition, but I have not been able to replicate it with Safari running on 10.3 or 10.4 series OSX machines.

Mike Poor
Handler on Duty
Intelguardians
November 30th, 2005, 10:45 PM
genXer

UPDATE: You may wish to check this out.

Hello all-

In getting back to the office today, I checked with ISC to see if there were any updates on this topic. There is, and there is also a little check at the top of the page to see if you are vulnerable - it's wording:

Quote:

Over the last hour, 43 % of the visitors to this site were vulnerable to the Internet Explorer 0-day exploit. (result based on browser version and javascript enabled)
You are considered [results from your PC/server posted here]

Also, there are some theories about Microsoft getting patches out for this exploit. Other news they post include Firefox 1.5 released, Java SDK & JRE Updates, and for the hippies and artsies, Apple has a security update.

In case you can't or won't scroll up, here's the link again: http://isc.sans.org/