PDF XSS vulnerability announced at CCC

Published: 2007-01-03
Last Updated: 2007-01-03 19:25:09 UTC
by Toby Kohlenberg (Version: 2)
0 comment(s)
A new cross-site scripting attack was announced at the 23rd CCC by Stefano Di Paola & Giorgio Fedon:
http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html
The gist of the attack is that you are able to get javascript executed by simple having it appended to the PDF's URL.

This is an example (from GNU Citizen): (line breaks added for aesthetic value)

www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something \
=javascript:function createXMLHttpRequest(){   try{ return new \
ActiveXObject('Msxml2.XMLHTTP');  }catch(e){}   try{ return new \
ActiveXObject('Microsoft.XMLHTTP'); }catch(e){}   try{ return new \
XMLHttpRequest(); }catch(e){}   return null;}var xhr = createXMLHttpRequest(); \
xhr.onreadystatechange = function(){    if (xhr.readyState == 4)       \
alert(xhr.responseText);};xhr.open('GET', 'http://www.google.com', true)\
;xhr.send(null);

This doesn't require the ability to write the PDF, just the ability to generate a URL that is based on a
PDF hosted on some site.
There are a number of good explanations on this. I liked this one:
http://www.disenchant.ch/blog/hacking-with-browser-plugins/34

The original paper talks about more than this specific flaw and is certainly worth reading as well.

Mitigation: Turning off javascript seems effective at mitigating this. Militant use of the NoScript extension for
Firefox would be my recommendation. Of course you have to turn off javascript for _everything_ (specifically the target domains, not the website setting up the attack. in the Disenchant examples you would have to disable scripting for Google, MySpace, Microsoft, Ebay and BofA) but....

Update: Thanks to those of you who pointed out that this appears to fail/is fixed in Adobe Acrobat/Reader 8:
http://www.adobe.com/products/acrobat/readstep2.html
Keywords:
0 comment(s)

Symantec attack uptick reported

Published: 2007-01-03
Last Updated: 2007-01-03 08:51:56 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)
Thanks to Mike who sent us the following note about what he's seen on his network. Anyone else seeing similar movement?

The Symantec AV attacks have picked up over the last day or so, as systems that were probably turned off over the holidays are turned on and infected by the worm.  Almost all of the attacks we saw just before Christmas were from other .edus; now we are seeing more attacks from systems in countries other than the US.  About 70% of the 186 systems that tried attacking us today were outside the US.  Brazil and Taiwan take top honors for most attacking hosts.
Keywords:
0 comment(s)

Apple QuickTime RTSP URL Handler Vulnerability

Published: 2007-01-03
Last Updated: 2007-01-03 08:33:07 UTC
by Scott Fendley (Version: 4)
0 comment(s)

 The Month of the Apple bugs seems to have started. The first bug is in the handling of RTSP URL's within Quicktime, leading to arbitrary code execution on both Windows and Mac OS. You can find the advisory here:
http://projects.info-pull.com/moab/MOAB-01-01-2007.html.  The MOAB blog states that you should disable the rtsp:// URL handler, however I have not determined how this is done.

Update 1:

Robert helped me find something I was missing.  Guess I am just blind today or was just paying a little too much attention to the bowl games.  To disable RTSP URLs in QuickTime, open the QuickTime control panel.  Then, select the File Types tab.  Expand the Streaming category and make sure the RTSP stream descriptor is unchecked.  Here is a screen capture of this from my Windows based computer.  I assume MacOS X computers have a similar control panel.   I recommend that you make sure that this is unchecked. 

Keywords:
0 comment(s)

VLC Media Player udp URL handler Format String Vulnerability

Published: 2007-01-03
Last Updated: 2007-01-03 00:39:56 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)
Welcome Fans to Day Two of the Month of Apple Bugs!
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
Today's contestants are: the MOAB team and VLC Media Player.
We have a special treat for you today as the vulnerability announced on this lovely Winter morning (okay, it hasn't stopped raining yet today and it was almost dark at 2:30pm and technically it's evening but...) impacts the VLC Media Player on both OSX and Windows.

MOAB team, the reigning champion after their highly noted win against Apple Quicktime yesterday by stack overflow had this to say about their opponent-
"A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC."

After a short bout MOAB was declared winner again by delivery of PoC for both x86 and PPC.
This contender has certainly come out strong but we'll see how they hold up as the month continues. That's all till next time sports fans.
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives