[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security
- From: "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx>
- Date: Thu, 1 Jul 2004 20:35:55 -0000
Yes of course.
Two tiny problems though:
1. your little scriplet doesn't work for me. I get:
'W.frames.2.location' is null or not an object
2. If as you claim this is "standard practice" then there is
something wrong with these browsers as it apparently does not
work on them:
The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux
http://secunia.com/advisories/11978/
Perhaps someone who really knows will enlighten us all.
Thor Larholm <thor@xxxxxxxx> said:
> > From: http-equiv@xxxxxxxxxx [mailto:1@xxxxxxxxxxx]
>
> Your subject makes it sound like this is a spoofing
vulnerability when
> in fact this is expected functionality that has been around
since
> Netscape 2 and IE3 which does not grant additional privileges
of any
> kind and requires the user to activate WindowsUpdate from your
site.
>
> > Here's a quick and dirty demo injecting malware.com into
> > windowsupdate.microsoft.com :)
> > http://www.malware.com/targutted.html
>
> Your script opens a new window and then uses a timer to change
the
> location of whatever window object has focus. This does not
switch
> security zone or even protocol, all it does is to load your
site into a
> subframe of another site. You can accomplish the exact same
without
> trying to 'trick' anything by using the following 2 lines:
>
> W=window.open("http://v4.windowsupdate.microsoft.com";);
> W.frames[2].location.href = "http://pivx.com/";;
>
> This is no different than loading WindowsUpdate in a frame on
your own
> site.
>
> It has always been standard practice that you can change, but
not read,
> the location of any window object to a site from the same
protocol and
> security zone. A frame is a window object and all window
objects are
> safely exposed because they by themselves does not reveal any
> information about the site inside the frame. You can get a
handle of any
> window object to any depth because the frames collection is
also safely
> exposed. This does not give you any kind of access to the
document
> object inside, which would be necessary for any kind of code
injection
> or cookie theft.
>
>
>
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 23 Corporate Plaza #280
> Newport Beach, CA 92660
> http://www.pivx.com
> thor@xxxxxxxx
> Stock symbol: (PIVX.OB)
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines a new genre in Desktop Security: Proactive Threat
> Mitigation.
> <http://www.pivx.com/qwikfix>
> -----Original Message-----
> From: http-equiv@xxxxxxxxxx [mailto:1@xxxxxxxxxxx]
> Sent: Tuesday, June 29, 2004 11:41 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Cc: NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx
> Subject: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft
and Security
>
>
>
>
> Thomas Kessler was kind enough to inform that this is not new,
but in
> fact on old "issue" with Internet Explorer which by all
accounts was
> supposed to be "patched" back in 1998[?]:
>
> Microsoft Security Program: Microsoft Security Bulletin (MS98-
> 020) Patch Available for 'Frame Spoof' Vulnerability
>
> http://www.microsoft.com/technet/security/bulletin/ms98-
020.mspx
>
> Quite clearly this contraption known as Internet Explorer is
just
> broken. It's oozing pus from every pore at this stage.
>
> If indeed the issues are the exact same.
>
> You'd better wipe hands of it anyway.
>
> We give up.
>
> --
> http://www.malware.com
>
>
>
--
http://www.malware.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html