轉貼 防範 IE 新漏洞(1)&(2)

顯示結果從第 1 筆 到 5 筆,共計 5 筆
  1. #1
    --帳號停用中-- purk 的大頭照
    註冊日期
    2001-03-08
    討論區文章
    2,917

    轉貼 防範 IE 新漏洞(1)&(2)

    IE新漏洞 駭客將通行無阻 12/17
    http://www.hackland.idv.tw/hacker/20011219-1.htm
    http://www.hackland.idv.tw/hacker/20011219-2.htm


    防範 IE 新漏洞(1)


    --------------------------------------------------------------------------------

    IE新漏洞 駭客將通行無阻 12/17

    Source -- [ Infopro.com資傳網 ]

       根據芬蘭一家電腦安全公司表示,微軟IE瀏覽器中的一個漏洞會在使用者下載檔
    案時,誤判檔案的屬性而直接開啟執行檔,進而使得駭客得以輕易地在受害者電腦中植
    入後門程式。

    這家名為Oy Online Solution的公司指出,駭客可以利用特定的網址與HTTP表頭,讓下
    載的畫面中出現的副檔名與實際副檔名不符。使用者可能以為下載的是媒體檔案,事實
    上卻是個精心設計的後門程式;更嚴重的情況,則是IE不會顯示任何訊息,後門程式卻
    已經悄悄地安裝完畢,並且開始運作。駭客可以此任意進出受害者的電腦,以發動分散
    式的阻斷服務攻擊、格式化硬碟、或是散佈病毒。

    Oy Online Solutions的總經理傑基•薩爾米(Jyrki Salmi)表示,微軟在十一月底就
    已知悉此事,但當時卻不以為意;不過現在「微軟已經將初版的修正程式寄給我們測
    試,預計在下週即可正式推出。」薩爾米說;但他拒絕說明為何微軟改變了心意。

    這漏洞所影響的版本包括了IE 5.0、5.5、以及6.x。薩爾米建議使用者在升級程式推出
    前,暫緩所有的下載作業。


    --------------------------------------------------------------------------------

    上面是有關報導,下面是 Bugtraq 的原文;



    OVERVIEW

    A flaw in Microsoft Internet Explorer allows a malicious website to spoof
    file extensions in the download dialog to make an executable program file
    look like a text, image, audio, or any other file. If the user chooses to
    open the file from its current location, the executable program will be
    run, circumventing Security Warning dialogs, and the attacker could gain
    control over the user's system.

    A piece of HTML can be used to cause a normal download dialog to pop up.
    The dialog would prompt the user to choose whether he/she wants to "open
    this file from its current location" or "save this file to disk". The
    file name and extension may be anything the malicious website
    administrator (or a user having access there) wishes, e.g. README.TXT,
    index.html, or sample.wav. If the user chooses the first alternative,
    "open the file from its current location", an .EXE application is
    actually run without any further dialogs. This happens even if
    downloading a normal .EXE file from the server causes a Security Warning
    dialog.

    The user has no way of detecting that the file is really an .EXE
    program and not a text, html, or other harmless file. The program could
    quietly backdoor or infect the user's system, and then pop up a window
    which does what the user expected, ie. show a text document or
    play an audio file.

    No active scripting is necessary in order to exploit the flaw. The
    malicious website can be refered e.g. in an iframe, in a normal link, or
    by javascript.



    DETAILS

    The flaw is in the way Internet Explorer processes certain kind of URLs
    and HTTP headers. No further technical details are disclosed this time,
    as there is no proper workaround and the vulnerability could be
    relatively easily and unnoticeably exploited to spread virii, install
    DDoS zombies or backdoors, format harddisks, and so on.

    The flaw has been successfully exploited with Internet Explorer 5.5 and
    6. An IE5 with the latest updates shows the spoofed file name and
    extension without a sign of EXE, and issue no Security Warning dialog
    after the file download dialog.

    Internet Explorer 6 is exploitable in a slightly different way, but the
    effect is the same. The user gets a download dialog with the spoofed file
    name and extension, and can choose between "Open" and "Save". Opening the
    file causes the program to be run.

    Older versions such as IE5.0 behave somewhat differently. The dialog
    indicates the user is about to execute an application; the dialog has the
    word "execute" instead of "open", and a Security Warning dialog appears
    after choosing "execute". It still shows the spoofed file name and
    extension instead of "EXE".

    Any way to skip all dialogs, ie. to run an application without ANY
    dialog with this vulnerability has NOT been found. In all variations of
    the exploit there is always the normal file download dialog, but the
    following Security Warning dialog is skipped.

    Technical details of the vulnerability will be revealed later.



    WORKAROUNDS

    Opening a file type previously considered safe, e.g. plain text or HTML
    file isn't safe with IE. Users of the browser should avoid opening
    files directly and save them to disk instead (if opening them is
    necessary at all). If this flaw is being exploited, the file save dialog
    will reveal that the file is actually an executable program. Dealing with
    files from an untrusted source isn't advisable anyway. Another workaround
    is switching to another browser such as Opera or Netscape which don't
    seem to have this vulnerability.



    VENDOR STATUS

    Microsoft was contacted on November 19th. The company doesn't currently
    consider this is a vulnerability; they say that the trust decision should
    be based on the file source and not type. The origin of the file, ie. the
    web server's hostname can't be spoofed with this flaw. It's not known
    whether a patch is going to be produced. Microsoft is currently
    investigating the issue.


    --------------------------------------------------------------------------------



    This posting is a revision of the one sent to Bugtraq on 26 Nov 2001 with
    the subject "File extensions spoofable in Microsoft IE download dialog"
    and discusses some details and newly found impacts the vulnerability has.



    OVERVIEW

    Due to a flaw in the way Microsoft Internet Explorer handles certain HTTP
    reply strings, a web site can spoof the name of a file being requested
    and disguise it as a harmless file. As opposed to what I stated in the
    previous posting, a variation of this exploit may cause the browser
    to download and run a program file automatically without any user
    interaction or decision. This may lead to system compromise when visiting
    a malicious web site or opening an HTML mail message which directs the
    user to such site. Opening an e-mail attachment or accepting a file
    download is NOT required.

    With some versions of IE, the origin web server of the file being
    downloaded can also be hidden by using a variation of this exploit. In
    this case it will show and empty string instead of the host name in the
    download dialog.

    Internet Explorer versions 6, 5.5, and 5.0 have been tested and found
    vulnerable. The only version which hasn't automatically downloaded and
    started an .exe program in our tests is is 5.5 with Service Pack 2. We
    don't know whether it could be vulnerable to some other variation of the
    exploit (different MIME types or other HTTP header contents maybe?). It
    is however vulnerable to the "plain" file name spoofing attack.



    VULNERABLE VERSIONS

    IE File ext Bypassing Hiding file
    Version spoofing all dialogs origin
    ----------------------------------------------------------
    IE 6 yes yes no
    IE 5.5 SP2 yes no? yes
    IE 5.5 yes yes yes
    IE 5.0 yes yes



    DETAILS

    The problem is in the way Internet Explorer handles the Content-type and
    Content-disposition HTTP headers of a web server reply. With certain
    combinations of specially crafted reply strings, the browser can be made
    first to start downloading the file without asking for confirmation from
    the user, and then to open it - or in this case, run it.

    The same method which can mislead the user in the "plain" file name spoof
    variation of the attack can be used to mislead the browser's logics
    resulting in automatical execution of the program.



    WORKAROUNDS

    If the patch for some reason couldn't be applied, disabling file
    downloads from Tools -> Internet options -> Security -> Custom level ->
    Downloads/File download seems to stop the exploit. No other known
    workarounds exist at the moment, except from switching to another browser
    such as Opera or Netscape, which don't seem to suffer from this problem.



    VENDOR STATUS

    Microsoft was initially contacted on November 19th with the information
    regarding the "file extension spoofing" problem. The Security Warning
    dialogs of IE5 could be bypassed with that exploit, but the "automatically
    start an .exe" variation of the vulnerability wasn't known at the time.
    Microsoft didn't consider the file extension spoofing problem a security
    vulnerability. The company was informed about the new variation on
    November 27th and started working on a patch to correct the flaw. The
    patch is now out and downloadable on Microsoft's site at

    http://www.microsoft.com/technet/sec...n/MS01-058.asp

    --
    Jouko Pynnonen Online Solutions Ltd Secure your Linux -
    jouko@solutions.fi http://www.solutions.fi http://www.secmod.com


    --------------------------------------------------------------------------------

    我還沒時間仔細研究,不過看來可能會成為另一波 Nimda 病毒感染的新途徑,各位趕快去以下網址修補漏洞:

    http://www.microsoft.com/technet/sec...n/MS01-058.asp

    這個漏洞最主要講的內容是有關 IE 判斷副檔名錯誤的問題,各位可以去以下網址試試:

    http://kuperus.xs4all.nl/microsoft.txt

    當你點選它時,你可以看到 IE 出現一個下載畫面的視窗,下載的檔案看起來是一個附檔名 TXT 的純文字檔



    一般來說使用者看到 TXT 檔都不疑有它,會選擇直接開啟,但利用 IE 這個檢查副檔名錯誤的漏洞,惡意的伺服器管理員,可以把類似 HTA 的執行檔傳到你電腦上,接著自動開啟,如圖所示,所以可以藉由此方式來散佈病毒或特洛依木馬:



    而根據報導指出,當初微軟對這個漏洞其實是「不很在乎」....我想他們是認為使用者是使用者自己選擇「開啟檔案」選項,所以不算漏洞吧...哼哼哼........

    因為沒有進一步的技術資料,所以我用 Sniffer 擷取了該封包的內容,如下:



    注意到 「Content-Type」欄位嗎? 看起來是因為 IE 沒有把 Content-Type 和原始副檔名做比對的緣故,而開啟檔案時,微軟的 IE 在收到 HTTP 協定內的「Content-Type」欄位裡面的 application/hta ,就急急忙忙呼叫 MSHTA 去處理,完全忘了當初副檔案的檔名是 TXT 文字檔.......
    防範 IE 新漏洞(2)-奇怪的 MS01-058 更新?


    --------------------------------------------------------------------------------

    底下是微軟 Microsoft Security Bulletin MS01-058 的說明

    The first vulnerability involves a flaw in the handling of the Content-Disposition and Content-Type header fields in an HTML stream. These fields, the hosting URL, and the hosted file data determine how a file is handled upon download in Internet Explorer. A security vulnerability exists because, if an attacker altered the HTML header information in a certain way, it could be possible to make IE believe that an executable file was actually a different type of file -- one that it is appropriate to simply open without asking the user for confirmation. This could enable the attacker to create a web page or HTML mail that, when opened, would automatically run an executable on the user's system. This vulnerability affects IE 6.0 only. It does not affect IE 5.5.
    The second vulnerability is a newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletin MS01-015. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web site’s domain and the other on the user’s local file system, and to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user’s local computer that could be opened in a browser window. This vulnerabilty affects both IE 5.5 and 6.0.
    The third vulnerability involves a flaw related to the display of file names in the File Download dialogue box. When a file download is initiated, a dialogue provides the name of the file. However, in some cases, it would be possible for an attacker to misrepresent the name of the file in the dialogue. This could be invoked from a web page or in an HTML email in an attempt to fool users into accepting unsafe file types from a trusted source. This vulnerabilty affects both IE 5.5 and 6.0.
    可以看到這項更正程式修正了三個錯誤。其中第三個錯誤應該就是我前一篇「防範 IE 漏洞(1)」裡面提到的情形,可是網友 yen 來信詢問,說他裝了 MS01-058 更正程式之後,下載視窗還是依然顯示是下載 txt 檔案....



    我為了驗證原因,特別將我不想升級的 IE 升級到 6.0 版,然後也裝了 MS01-058 修正程式,結果媽的勒....修正還是一樣,下載依然是顯示 txt 檔案,而且 IE 6.0 更慘,它的按鈕預設值竟然是 「開啟」,這樣不小心就更容易執行到這個披著 txt 外皮,實則 hta 執行檔的狼。


    (注意:預設動作是「開啟」檔案喔)

    我不知道微軟這個修正程式真的在修正什麼.....講實話....我真的不知道.........難道我英文會錯意,它以下這段不是在講這個漏洞嗎?

    The third vulnerability involves a flaw related to the display of file names in the File Download dialogue box. When a file download is initiated, a dialogue provides the name of the file. However, in some cases, it would be possible for an attacker to misrepresent the name of the file in the dialogue. This could be invoked from a web page or in an HTML email in an attempt to fool users into accepting unsafe file types from a trusted source. This vulnerabilty affects both IE 5.5 and 6.0.
    總而言之自立救濟,在以後遇到有這類的下載視窗時,你千萬注意選「儲存檔案」或「將這個檔案存到磁碟」,別直接選「開啟」就是了.....

    (不過這樣的話,幹嘛要安裝修正程式???......笨笨搞不懂的 Hackland 站長)



  2. #2
    會員
    註冊日期
    2001-03-16
    討論區文章
    36
    真的耶~~~
    我的IE5.5也是這樣子
    以後要小心了....

  3. #3
    會員
    註冊日期
    2001-08-01
    討論區文章
    49

    另一測試結果

    根據 Purk 兄的測試結果, 我也進行了修正測試
    自修正後竟發現我的伺服器無法再執行 ASP 的程式
    無論是 localHost 的 ASP, 或是他站的 ASP, 都無法再執行了,
    幸好平時我都會將系統碟作完整備份, 要不然遇上了這種無法移除的致命修正就完了.

  4. #4
    會員
    註冊日期
    2001-08-01
    討論區文章
    49

    Re: 另一測試結果

    最初由 galrie 發表
    根據 Purk 兄的測試結果, 我也進行了修正測試
    自修正後竟發現我的伺服器無法再執行 ASP 的程式
    無論是 localHost 的 ASP, 或是他站的 ASP, 都無法再執行了,
    幸好平時我都會將系統碟作完整備份, 要不然遇上了這種無法移除的致命修正就完了.
    對不起, 晚進一時誤查, 將上述之測試同時與病毒防護程式之病毒碼更新同時進行,
    而且作了數次都沒有跳過此一環節, 故有以上之測試結果.
    今晚進將硬碟資料還原, 並將病毒防護程式 Norton AntiVirus 停止更新病毒碼後,
    發現 MicroSoft 的修正程式並未造成本站伺服器無法執行ASP應用程式之影響 (http://cctv.oknet.idv.tw)
    若有造成網友之不便, 敬請原諒.

    註: 晚進原採用的 Norton AntiVirus 版本為 7.07.23D, 確定會造成上述之問題,
    後來改為 Norton AntiVirus C.E 版本 7.50.846 之後, 才恢復正常.

  5. #5
    酷 拉 皮 卡 curarpikt 的大頭照
    註冊日期
    2001-06-20
    討論區文章
    160
    最初由 GKLin 發表
    真的耶~~~
    我的IE5.5也是這樣子
    以後要小心了....

    不好意思,請問一下~
    我已經更新過了,但是我所看到卻還是TXT檔案,
    那是不是表示沒有更新成功呢?
    還有就是那個檔案下載不下來耶~



類似的主題

  1. windos server 2003 更新漏洞
    作者:GoGoVaKa 所在討論版:-- Windows 更新 & 驅 動 程 式 版
    回覆: 1
    最後發表: 2011-04-14, 03:33 PM
  2. 【警告】【转贴】令人汗颜的IE最新漏洞(MS06-067)利用测试(黑吧)
    作者:proll 所在討論版:-- 防 駭 / 防 毒 版
    回覆: 21
    最後發表: 2006-12-04, 11:43 PM
  3. 【新聞】快補! Windows、Outlook Express出現新新漏洞 
    作者:atobe 所在討論版:-- 防 駭 / 防 毒 版
    回覆: 1
    最後發表: 2004-07-14, 02:49 PM
  4. 【新聞】Windows NT/2000新漏洞 駭客可以獲取管理者權限 04/01
    作者:giogio2000 所在討論版:-- 防 駭 / 防 毒 版
    回覆: 0
    最後發表: 2002-04-02, 09:46 AM
  5. 轉貼:IE新漏洞 駭客將通行無阻
    作者:charles_ccgb 所在討論版:-- 網 路 軟 體 討 論 一 版 (Browser,Email
    回覆: 1
    最後發表: 2001-12-19, 11:50 PM

 

此網頁沒有從搜尋引擎而來的訪客

發表文章規則

  • 不可以發表新主題
  • 不可以回覆文章
  • 不可以上傳附加檔案
  • 不可以編輯自己的文章
  •