frame   frame
SANS Logo SANS Homepage SANS Bookstore SANS Reading Room SANS Portal
  border   border  
ISC Logo   GREEN
CDI East 2006
To register for the SANS classes, use brochure code "ISC"
SC Magazine Award
   
border Handler on Duty: Chris Carboni space 16:18:01 UTC Oct 19 2006, 12:18:01 Oct 19 2006 border  
Handler's Diary: Heap overflow vulnerability in Opera 9.0, 9.01;Oracle Quarterly Critical Patch Update (Oct 2006)

Handler's Diary November 21st 2005


previous - next

Changed Infocon status to Yellow, re: Windows Internet Explorer vulnerability

Published: 2005-11-21,
Last Updated: 2005-11-21 23:18:29 UTC by Mike Poor (Version: 1)

Infocon has been raised to Yellow due to the exploit being publicly available, combined with the lack of a patch for this specific vulnerability.  Disable Javascript in your Internet Explorer browsers, or switch to another browser.  We have received reports that Safari suffers from a DOS condition, but I have not been able to replicate it with Safari running on 10.3 or 10.4 series OSX machines.

Mike Poor
Handler on Duty
Intelguardians

Snort Rule released on BleedingSnort for the Windows Javascript vulnerability

Published: 2005-11-21,
Last Updated: 2005-11-21 21:54:22 UTC by Mike Poor (Version: 1)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet
Explorer Window() Possible Code Execution"; flow:established,from_server;
content:"window"; nocase; pcre:"/[=:'"s]windows*(s*)/i";
reference:url,secunia.com/advisories/15546; \  reference:url,www.computerterrorism.com/research/ie/ct21-11-2005;
reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:1; )


Download it directly from here:

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_Internet_Explorer?view=markup


Please let us know about problems with this rule, and/or when you notice sites hosting/performing this exploit.

thanks!

Mike Poor
Handler on Duty
Intelguardians

* Internet Explorer 0-day exploit

Published: 2005-11-21,
Last Updated: 2005-11-21 20:15:54 UTC by Johannes Ullrich (Version: 4(click to highlight changes))

the UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.

The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.

The Javascript Window() vulnerability has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code.

Impact:
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).

In addition ot the PoC 'Calculator' exploit, a reader (thanks Chris R!) submitted a version that opens a remote shell. The PoC exploit allows for easy copy/paste of various shell code snippets.

In itself, the vulnerability will not escalate privileges. We are trying to verify other exploits at this point.

Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.



previous - next