RE: Registry Fix For Variant of Scob
No reason to set the kill bit?
Take a look at
http://seclists.org/lists/fulldisclosure/2004/Jun/0318.html
And I am quoting you now
"You should be able to use this to compromise Windows XP SP2 through
Internet Explorer despite the My Computer zone hardening since the
Trusted Sites Zone has all of the privileges you need to plant and
execute a file."
(I have no idea if this is correct btw, sp2 hasn't touched my system yet)
So what's it going to be Thor
Do you want to retract the aforementioned statement
Or this post
You can't have it both ways you know
--jelmer
-----Original Message-----
From: Thor Larholm [mailto:thor@xxxxxxxx]
Sent: zondag 4 juli 2004 0:48
To: Drew Copley; Windows NTBugtraq Mailing List; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Registry Fix For Variant of Scob
Setting the kill bit on the "Shell.Application" ActiveX object, or any
other ActiveX, is a system wide configuration change. This is also the
reason for the incompatibility issues you are mentioning, but there is
no reason to kill the bird to secure the nest.
The problem here is not the ADODB.Stream or Shell.Application objects,
the problem is the insecure My Computer zone in Internet Explorer. Your
registry fix will have adverse functionality regressions on any Windows
administrator that use WSH when there is no reason for this. ActiveX
objects are used in many hosts of which IE is just one, others include
Jscript, VBScript, HTML Applications and WSH, all of which run outside
of the browser and require executional privileges to launch in the first
place.
The prerequisite for even having privileges enough to launch the
Shell.Application ActiveX object inside IE is to have script running in
the My Computer zone. Locking down this zone will completely prevent
this exploit, without introduing functionality regressions in other
parts of Windows. In fact, if you had implemented the registry changes I
described back in early September 2003 you would have been safe against
all the command execution vulnerabilities that have subsequently been
discovered - including ADODB.Stream and Shell.Application who are
themselves just minor components of a larger exploit prerequisite.
http://www.securityfocus.com/archive/1/346174/2003-11-30/2003-12-06/0
I am sure that tomorrow, next week and next month we will find even more
ways to exploit insecure zone privileges in IE. You can either try to
fix the root cause once or you can try to treat each new symptom as it
is discovered.
There is no need to hurridly introduce last-minute system wide
functionality regressions such as killbitting Shell.Application, all you
need to do is lock down the My Computer zone in IE properly. We
implemented this in Qwik-Fix last September and have since then not had
to worry about exploits that target these design principles in IE.
Instead, we have been able to focus our efforts on securing other parts
of Windows as opposed to scramble to cope up with each new exploit from
jelmer or http-equiv. You can get a free copy of Qwik-Fix Pro at
http://qwik-fix.net
All software is inherently insecure, the difference is in how you treat
that insecurity.
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: Drew Copley [mailto:dcopley@xxxxxxxx]
Sent: Friday, July 02, 2004 2:33 PM
To: Windows NTBugtraq Mailing List; bugtraq@xxxxxxxxxxxxxxxxx
Subject: Registry Fix For Variant of Scob
About the same time Jelmer found the adodb bug, http-equiv found a
similiar issue with the object "Shell.Application".
This issue has also been unfixed for the past ten months.
Unfortunately, Microsoft has not taken the "hint" and not
fixed this issue either.
Jelmer has noted this and made a proof of concept exploit
page here: http://62.131.86.111/security/idiots/malware2k/installer.htm
The below registry file will protect you from this exploit
by kill biting "Shell.Application" variant.
<------------------------------------------->
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{13709620-C279-11CE-A49E-444553540000}]
"Compatibility Flags"=dword:00000400
<-------------------------------------------->
I will be updating our free fix download here:
http://www.eeye.com/html/research/alerts/AL20040610.html
This will break some hta scripts that might be used
for management. It may cause some incompatibility issues
with some programs.
Shell.Application is commonly used by administrators
for administration of systems via Visual basic script
or WSH. It may have other uses. It is kind of Microsoft's answer to
shell script -- though not as happy as batch.