<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032



ADBecker@xxxxxxxxxxxxxx replied to GreyMagic to "http-equiv":

> > >The patch for Drew's object data=funky.hta doesn't work:
> > This is the exact same issue as http://greymagic.com/adv/gm001-ie/,
> > which explains the problem in detail. Microsoft again patches the object
> > element in HTML, but it doesn't patch the dynamic version of that same
> > element.
> > 
> > >1. Disable Active Scripting
> > 
> > This actually means that no scripting is needed at all in order to
> > exploit this amazingly critical vulnerability:
> > 
> > <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
> > <xml id="oExec">
> >     <security>
> >         <exploit>
> >             <![CDATA[
> >             <object data=x.asp></object>
> >             ]]>
> >         </exploit>
> >     </security>
> > </xml>
> > 
> > Ouch.
> 
> Updated antivirus software should catch this exploit and prevent any
> application from being launched.  ...

Really?

I was not aware that most (or any) typically deployed AV s/w  
interdicts itself between the web browser and browsed sites.  To 
reliably detect Object Data Tag exploits that would be necessary, as 
exploiting this vulnerability depends on "properly formed" HTML 
requesting a remote resource that is then provided with an "unexpected" 
type (as indicated in the HTTP protocol reply headers).  It is this 
mismatch of the types that is the problem as the initial (HTML) parser 
has already decided (based on the apparent filename of the resource) 
that the type is "safe" to execute but there is no secondary check that 
the type returned by the server actually matches the expected type.

If your scanner is detecting anything, the odds are extremely high that 
it will be the code of a specific exploit, rather than generic exploit 
code as there really is no such thing in this case.

> ...  We have McAfee VirusScan 7 Ent. which
> caught both exploit examples at http://greymagic.com/adv/gm001-ie/

Hmmmmmm -- if what you meant was simply that your scanner detects both 
of the exploits linked from GreyMagic's page, I suspect that you have 
too much blind faith in your scanner.  When GreyMagic said "This is the 
exact same issue as ..." he did not mean that it is the same exploit.  
He did not even mean that the same exploit mechanism was at work.  That 
means scanners that detect his PoC exploits will not (with the same 
detection code) detect exploits of this new problem.  What he meant was 
that the exact same slothful and incomplete analysis of the problem by 
Microsoft as led to his exposure of flaws in a previous IE patch are at 
work in producing the exact same kind of flawed patch here.

...

Further, _if_ your virus scanner detects the PoC exploits http-equiv 
has posted, don't sit back content in the "knowledge" that your scanner 
will save you from the next "in the wild" exploit of this vulnerability 
to fly past your Email scanners.  In such cases the odds are 
exceptionally high that your scanner is _not_ detecting an attempt to 
exploit the vulnerability but is simply detecting the "decode, drop and 
execute an EXE file from an HTML-embedded script" code from the script 
that runs as a result of the vulnerability already having been 
exploited.  Whilst it is true that many skiddies and some spammers are 
far too untalented to come up with new encoding/decoding schemes that 
will "slip past" most virus scanners (until their next updates add 
detection of each new, specific method), not all those who would use 
exploits of MS03-032 against you are that lame.  You would be much 
better off to, as Drew Copley posted earlier today to Bugtraq and some 
other lists, implement blocking of anything supplied as application/hta 
type at a firewall or web proxy, or locally on every Windows client by 
butchering the application/hta settings under:

   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type 

Drew's message is archived at the following for those wishing to read 
it in its entirety:

   http://www.securityfocus.com/archive/1/336625


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854