 redxiiPremium,Mod
join:2001-02-26
Sherwood, MI
 ·Clear Wireless
 ·Suddenlink
·Sprint Mobile Br..
Host:
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
AOL Broadband
| reply to ZOverLord
Re: New IE Vulnerability Allows Address Bar Spoofing "You are vulnerable, if a new window is opened and content from Secunia is displayed while the address bar still says "http://www.google.com/".
You are not vulnerable to this particular exploit, if you do not experience the above behaviour."
IE6 SP2, latest Flash. The address bar said »www.google.com and displayed Google content. Hmmm? |
|
 ZOverLordPremium
join:2003-10-20
Minneapolis, MN
1 edit | Interesting, I have same and see problems already.
Phisher's are already ALL over this exploit!
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 | I'm not convinced that input boxes could load & a form submit action can happen with what I've seen from the exploit sample page. |
|
ZOverLordPremium
join:2003-10-20
Minneapolis, MN | said by Snowy:I'm not convinced that input boxes could load & a form submit action can happen with what I've seen from the exploit sample page. What are you talking about, this exploit is based on a timer flaw, nothing to do with input boxes or form submit.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
redxiiPremium,Mod
join:2001-02-26
Sherwood, MI Reviews:
·Clear Wireless
·Suddenlink
·Sprint Mobile Br..
Host:
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
AOL Broadband
| reply to ZOverLord
I replicated my settings to a virtual machine, whose default security settings were vulnerable. It wasn't vulernable anymore. I didn't disable ActiveX... not that any ActiveX controls can install in a limited account anyway. I didn't disable Active Scripting. Going through the settings one by one, this solved it:
Disable "Navigate sub-frames across different domains" |
|
ZOverLordPremium
join:2003-10-20
Minneapolis, MN | Lol, it amazes me that is Enabled by default, Like, Sure that's a good idea. |
|
 CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13 | Off if on high setting 
»Microsoft Application Tips and Tweaks »Concerning Internet Options Security, what do some of the settings mean
»/r0/download/4···ions.gif
Cudni
--
Some are born to failure, others achieve it, all deserve it Help yourself so God can help you |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| reply to ZOverLord
said by ZOverLord:said by Snowy:I'm not convinced that input boxes could load & a form submit action can happen with what I've seen from the exploit sample page. What are you talking about, this exploit is based on a timer flaw, nothing to do with input boxes or form submit. That's correct. As far as a phish is concerned it is all about input boxes & form submits which I'm not convinced can happen with this exploit. |
|
ZOverLordPremium
join:2003-10-20
Minneapolis, MN | said by Snowy:said by ZOverLord:said by Snowy:I'm not convinced that input boxes could load & a form submit action can happen with what I've seen from the exploit sample page. What are you talking about, this exploit is based on a timer flaw, nothing to do with input boxes or form submit. That's correct. As far as a phish is concerned it is all about input boxes & form submits which I'm not convinced can happen with this exploit. Not in this case, the expolit works this way:
function openWin(url)
{
window.open(url, 'window');
}
function StartTest()
{
openWin('»www.google.com/');
setTimeout("openWin('/19521_swf/?" + Math.random() + "');", 300);
setTimeout("openWin('/19521_swf_result/');", 2500);
}
It exploits a very short timeout, not using any input box or form submit.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| I'ts very clear that the 'exploit' does not use any input/submit actions. To put it another way, do you believe a phish could load a fake page with a CC# input box, have that box filled out & then submitted elsewhere all the while the page is loading? |
|
ZOverLordPremium
join:2003-10-20
Minneapolis, MN
1 edit | said by Snowy:I'ts very clear that the 'exploit' does not use any input/submit actions. To put it another way, do you believe a phish could load a fake page with a CC# input box, have that box filled out & then submitted elsewhere all the while the page is loading? Sure, but then you would see a page re-load and wonder whats going on, why not display for example the logon page right away, you would never know how long someone took to fill field information before you timed out, so it would be best to display the bogus page ASAP, which is what people are doing.
Actually, even this PoC is using a LONG delay so you can see the original Google page to get a better visual idea of what's going on. The real exploits of this are not so kind.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 | Getting someone to land on the fake page is the phish challenge so if you mean that a phish run this exploit from it's fake page then the phish doesn't really need to utilize this exploit. I just can't seem see how it's helping a phish. |
|
ZOverLordPremium
join:2003-10-20
Minneapolis, MN
1 edit | said by Snowy:Getting someone to land on the fake page is the phish challenge so if you mean that a phish run this exploit from it's fake page then the phish doesn't really need to utilize this exploit. I just can't seem see how it's helping a phish. Getting someone to land on a fake page is as easy as hacking a trusted web site and making changes.
You might say "So What!" well many people use the same ID and passwords on many sites. So, simply having the ability to hack one web site with a large user base might allow one to gain email ID's ("Which also might use the same passwords").
Once you have the Email ID's and passwords, you might be able to use PayPal for example for many people. It can go on and on.
You also might be able to get the Admin logon ID's for that site, if an Admin logs in as well. If that Admin uses a cpanel for example, you might be able to control that site as well.
So it's much easier than you might imagine, especially, with some of the PHP exploits that are present today.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
| I got Google plus prompt to "Allow sub-frames to navigate across different domains". Denied action. Google sat there with www.google.com in the address bar.
Reran the test, this time allowing the action. Got Secunia page, »secunia.com/19521_swf_result/, but with URL as shown. No sign of google, just Secunia page as shown. This implies I am not vulnerable.
--
Dan |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 | reply to ZOverLord
Z, If you've taken over a server why hang around to capture login credentials.
Getting traffic that intends to land at 'chase' but instead lands at the compromised server where you have loaded a chase phish is still the phish's #1 challenge. |
|
|
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to redxii
said by redxii:I replicated my settings to a virtual machine, whose default security settings were vulnerable. It wasn't vulernable anymore. I didn't disable ActiveX... not that any ActiveX controls can install in a limited account anyway. I didn't disable Active Scripting. Going through the settings one by one, this solved it: Disable "Navigate sub-frames across different domains" I have that enabled in IE6 and I am not vulnerable. Not vulnerable in IE7b2 either.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
ZOverLordPremium
join:2003-10-20
Minneapolis, MN
1 edit | reply to Snowy
said by Snowy:Z, If you've taken over a server why hang around to capture login credentials. Getting traffic that intends to land at 'chase' but instead lands at the compromised server where you have loaded a chase phish is still the phish's #1 challenge. When you say Hang, it's not like you can't multi-task, and getting someones credit card is NOT the only method to get funds, actually, PayPal is easier, as well as gaining passwords for other sites.
I mean Imagine if you are dumb enough to use the same ID and password internet wide.
Now, if I can find your password on ONE site, and it also is used for all other sites including email, first thing most will do is hit Ebay and see if they can logon as you, as well as other places, maybe Amazon and so on, sooner or later there is no need for you to PERSONALLY enter any credit card info, it can be found without your help.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
 hpguruCurb Your DogmaPremium
join:2002-04-12 | reply to redxii
Failure |
said by redxii:I replicated my settings to a virtual machine, whose default security settings were vulnerable. It wasn't vulernable anymore. I didn't disable ActiveX... not that any ActiveX controls can install in a limited account anyway. I didn't disable Active Scripting. Going through the settings one by one, this solved it: Disable "Navigate sub-frames across different domains" I have "Navigate sub-frames across different domains" set to prompt but the exploit didn't work the first time here (I'm back to IE6SP2 long enough to update my ATI images).
With the setting on prompt there are two prompts. You have to answer yes to both for the exploit to complete but it is inconsistant. Seems if you delay too long before clicking yes the exploit fails.
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding. |
|
 bcoolPremium
join:2000-08-25
The Ozarks
2 edits | reply to redxii
said by redxii:I replicated my settings to a virtual machine, whose default security settings were vulnerable. It wasn't vulernable anymore. I didn't disable ActiveX... not that any ActiveX controls can install in a limited account anyway. I didn't disable Active Scripting. Going through the settings one by one, this solved it: Disable "Navigate sub-frames across different domains" Yes, this did it for me as well. All ActiveX settings are either at prompt or are disabled yet I was never once prompted here. However your little discovery ("Navigate" item disabled) worked just fine everytime. Hmmm....
--
"in flagrante delicto" |
|
| reply to redxii
Interesting. The test was failing (meaning I wasn't vulnerable) on my IE6/XP SP2 setup. My "Navigate sub-frames across different domains" setting was set to enable. So I tried setting it to Prompt. After some fiddling, I managed to accept both prompts and got the test to pass.
Then I changed my settings back to Enable. But I was still vulnerable now! Not sure exactly why. I've set "Navigate sub-frames across different domains" to disable and am once again not vulnerable.
--
-Jason Levine
My Gallery | Jason's Toolbox | PCQandA.com | URateit.com |
|
