-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Addendum: It has come to our attention that the file extension does not matter. So, the only way people should be blocking is this is by blocking by this tag: Content-Type: application/hta Cheers. > -----Original Message----- > From: Drew Copley [mailto:dcopley@eeye.com] > Sent: Wednesday, August 27, 2003 10:03 AM > To: 'Fabio Pietrosanti (naif)'; 'BUGTRAQ' > Subject: RE: EEYE: Internet Explorer Object Data Remote > Execution Vulnerability > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you wish, you can deny any traffic using: > > Content-Type: application/hta > > The fact is even IIS does not have that content type built > in, and it does not need it. Further, the need for anyone to > legitimately download a HTML Application would be extremely > rare. (This is not saying HTML Applications are useless.) > > Object tags can have unsafe extensions in the data, for > instance, base-64 encoded data is rather popular. (For > whatever reason Frontpage automatically puts base-64 encoded > data in some activex.) > > > > > -----Original Message----- > > From: Fabio Pietrosanti (naif) [mailto:fabio@pietrosanti.it] > > Sent: Monday, August 25, 2003 2:45 AM > > To: BUGTRAQ > > Subject: Re: EEYE: Internet Explorer Object Data Remote > > Execution Vulnerability > > > > > > On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote: > > > In case anyone needs a SNORT rule to catch attempts to > > exploit this > > > vulnerability: > > > > > > #----- > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any > (msg:"Internet > > > Explorer Object Data Remote Execution Vulnerability"; \ > > > content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \ > > > nocase; flow:from_server, established; \ > > > reference:cve,CAN-2003-0532; \ > > > classtype:web-application-activity; rev:1;) > > > #----- > > > > This rules catch the response with the exploit's payload from > > the server that may change depending on the exploits so > > matching the CLSID of WSH does not detect the "vulnerability" > > beeing exploited but this specific exploits. > > > > Altought there are many way of exploiting this vuln without > > using the Window Scripting Host, it's possible to use it in > > many way like: > > > > - VBScript > > > > CreateObject("WScript.Shell") > > > > - JavaScript > > > > new ActiveXObject("WScript.shell"); > > > > or like in the demostration with the <object> tag . > > > > The only way to detect it is to look at the data sent by the > > client beeing exploited ( which can probably bypassed with > > fancy mhtml base64 encoded e-mail or with an e-mail with a > > link to a site available in https ) > > > > For an effective signature we need a regexp that will catch > > everything that start with <object, reach the field data= and > > look at the end of the string inside > > "" matching everything that's NOT an unsafe extension ( .exe, > > .pif, .cab, etc, etc ) . > > > > In perl should be something like: > > > > /date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/ > > ( tnx Md ) > > > > Regards > > > > -- > > > > Fabio Pietrosanti ( naif ) > > E-mail: fabio@pietrosanti.it - naif@s0ftpj.org - > > naif@sikurezza.org PGP Key available on my homepage: > http://fabio.pietrosanti.it/ > - -- > Security is a state of being, not a state of budget. rfp > - -- > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0 > > iQA/AwUBP0zkYAkWkugjEnC3EQLRzQCfUA4X7X4q/kxhTTNpblyo17RHOwMAoMNy > t87vTJIMNFpKj6/ESNba3hd0 > =RMqw > -----END PGP SIGNATURE----- > -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP0zqjgkWkugjEnC3EQKOogCeNqFJC5wPvS9n3MNZRZIJY1OSLhwAnjMr dPDmnRNq/T/WdXkcj+Bh3QY8 =YB1/ -----END PGP SIGNATURE-----
