-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you wish, you can deny any traffic using: Content-Type: application/hta The fact is even IIS does not have that content type built in, and it does not need it. Further, the need for anyone to legitimately download a HTML Application would be extremely rare. (This is not saying HTML Applications are useless.) Object tags can have unsafe extensions in the data, for instance, base-64 encoded data is rather popular. (For whatever reason Frontpage automatically puts base-64 encoded data in some activex.) > -----Original Message----- > From: Fabio Pietrosanti (naif) [mailto:fabio@pietrosanti.it] > Sent: Monday, August 25, 2003 2:45 AM > To: BUGTRAQ > Subject: Re: EEYE: Internet Explorer Object Data Remote > Execution Vulnerability > > > On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote: > > In case anyone needs a SNORT rule to catch attempts to > exploit this > > vulnerability: > > > > #----- > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet > > Explorer Object Data Remote Execution Vulnerability"; \ > > content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \ > > nocase; flow:from_server, established; \ > > reference:cve,CAN-2003-0532; \ > > classtype:web-application-activity; rev:1;) > > #----- > > This rules catch the response with the exploit's payload from > the server that may change depending on the exploits so > matching the CLSID of WSH does not detect the "vulnerability" > beeing exploited but this specific exploits. > > Altought there are many way of exploiting this vuln without > using the Window Scripting Host, it's possible to use it in > many way like: > > - VBScript > > CreateObject("WScript.Shell") > > - JavaScript > > new ActiveXObject("WScript.shell"); > > or like in the demostration with the <object> tag . > > The only way to detect it is to look at the data sent by the > client beeing exploited ( which can probably bypassed with > fancy mhtml base64 encoded e-mail or with an e-mail with a > link to a site available in https ) > > For an effective signature we need a regexp that will catch > everything that start with <object, reach the field data= and > look at the end of the string inside > "" matching everything that's NOT an unsafe extension ( .exe, > .pif, .cab, etc, etc ) . > > In perl should be something like: > > /date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/ > ( tnx Md ) > > Regards > > -- > > Fabio Pietrosanti ( naif ) > E-mail: fabio@pietrosanti.it - naif@s0ftpj.org - > naif@sikurezza.org PGP Key available on my homepage: http://fabio.pietrosanti.it/ - -- Security is a state of being, not a state of budget. rfp - -- -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP0zkYAkWkugjEnC3EQLRzQCfUA4X7X4q/kxhTTNpblyo17RHOwMAoMNy t87vTJIMNFpKj6/ESNba3hd0 =RMqw -----END PGP SIGNATURE-----
