Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?

from [morning_wood] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?
Date: Sun, 30 Jan 2005 09:41:00 -0800 
if you mean http://www.exploitlabs.com/urlbar.html ...
then I sent MS an advisory of this... they are working on a patch.
funny... i just noticed my first PoC of this is dated 08/27/04

( http://www.kb.cert.org/vuls/id/490708 ) is dated 2001 !!!


MS response #1
Thank you for sending this report.  We're currently investigating this
issue, however it looks to be a duplicate of other UI spoofing issues
that have been posted.  For reference please see the below:

http://freehost07.websamba.com/greyhats/dlwinspoof-menu.htm

We've worked to address this update in XPSP2 by default in the Internet
Zone, and the option exists to enable this mitigation for other zones
via the registry or group policy.  Please let me know if you issue is a
separate vulnerability from the one listed above.

MS response #2
Donnie,

Thank you for the explanation.  I've been doing more research, and it seems
that while the proof-of-concept you've provided is different than the one
from Greyhats I sent earlier, it still seems that this is a known issue
originally discovered by Georgi Guninski and Andrew Clover.  I've found a
US-CERT Alert on the malicious use of chromeless windows to spoof UI linked
below and a CVE entry.  I think this is the same issue, if its not please
let me know the difference and I apologize for the confusion.

We are tracking this issue and working to resolve it.  So far the first
public fix for this is in XPSP2.  You may also look at the Windows Server
2003 SP1 Release Candidate as that should include the mitigations for this
issue as well.

http://www.kb.cert.org/vuls/id/490708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1410


soo...



So have I. Not to diminish the importance of the attack, but this
assumes the default placement of Address Bar if I'm not mistaken, so if
the user changes their toolbar layout the popup will give itself away,
correct?


possibly yes... tested
1. win2k ie6 default bar position  - YES
2. winXPsp1 ie6 non default bar position - locked - YES
3. winXPsp2 ie6 default bar position - NO

my example provided is different in effect than the MS provided
PoC link, but they use the same type of coding


cheers,

Donnie Werner







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] ICMP Covert channels question, cyberpixl
Next by Date:  [Full-Disclosure] [ GLSA 200501-43 ] f2c: Insecure temporary file creation, Thierry Carrez
Previous by Thread:  RE: [Full-Disclosure] Is there a 0day vuln in this phisher's site?, lists-security
Next by Thread:  Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?, Andrew Clover
Indexes:  [Date] [Thread] [Top] [All Lists]