If at first you don't succeed; call it version 1.0
Thursday, March 30, 2006

Up until today, in the wild createTextRange() vulnerability exploits were not so silent.
The need to wait more than minute, while your web browser freezes, in order to get the exploit to be executed, was too much for the victims.
Most of the victims were probably shutting down the browser manually before the vulnerability was actually got exploited.

Introducing the Next Generation of the createTextRange() exploit from Metasploit.
This exploit uses a non-CPU consuming techniques in order to get a more silent exploitation.

Now that we have a new generation of exploit out there, we can only hope MS will be fast enough to deliver an out-of-cycle security update for the createTextRange() vulnerability.

P.S. This exploit will also evade most "generic" AV and IPS detections which are mostly looking for specific tokens from the old proof-of-concept script, instead of using a real heuristic detection.


Thursday, March 30, 2006 8:57:15 AM UTC | Comments [0] | Security#
Friday, March 24, 2006

"...Hamachi is a community-developed utility for verifying browser integrity, written by H D Moore and Aviv Raff. Hamachi will look for common DHTML implementation flaws by specifying common "bad" values for method arguments and property values..."

http://metasploit.com/users/hdm/tools/hamachi/hamachi.html
Friday, March 24, 2006 7:34:51 AM UTC | Comments [1] | Security#
Wednesday, March 22, 2006

In about a week and a half, three new Internet Explorer security holes were publicly disclosed:

- 13-Mar-06: Jeffrey van der Stad informed about a vulnerability in IE which allows running HTA files without the user's permission.
- 16-Mar-06: Michal Zalewski introduced a Proof-of-Concept of a vulnerability in the way IE handles a large number of events in a single HTML tag.
- 22-Mar-06 (Today): A memory corruption vulnerability was disclosed in Full-Disclosure by Stelian Ena (although he claims it to be a "well known issue").
The problem is with the way IE calls the createTextRange method from a CheckBox control. According to MSDN, the CheckBox control should not have the createTextRange method.
The published Proof-of-Concept will only crash the browser. But, I've managed to create another Proof-of-Concept (which I WILL NOT publicly disclose just yet), and it seems that this memory corruption vulnerability is exploitable for a remote code execution on a fully patched XP SP2. It might also be exploitable on other windows operating systems.

Too many holes in such a short time... We can only hope MS will take these problems seriously and provide a patch soon.

[UPDATE:] "Computer Terrorism (UK) :: Incident Response Centre" have published an advisory for the createTextRange vulnerability. They also confirm a production of a Proof-of-Concept, and that they already notified Microsoft about this issue.

[UPDATE2:] Secunia has also reported on this issue. This time about the Radio Control.

I would like to add that 3 types of input controls can be used to exploit this vulnerability: CheckBox, Radio (as already reported) and Image control (<input type="image">).

[UPDATE3:] Microsoft has published a security advisory for the createTextRange vulnerability.

[UPDATE4:] Beware.. createTextRange vulnerability exploits are out!


Wednesday, March 22, 2006 1:09:24 PM UTC | Comments [0] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.