Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Setslice Killbit Apps - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Setslice Killbit Apps
Well... here we are again...  seems like only last week, I was putting up killbit apps for "daxctle.ocx"... 

(and really, it was 10 days ago... sheesh, how time flies!)

Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue.  Note: we've tested these settings against the Metasploit project's test page, and they work.  Because MS hasn't released any information as of yet, we're sortof flying blind here...  However, that being said, the killbit method is great, because it is completely reversable.

There are two versions of the app, one a standard Windows program, the other a command-line version. 

The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)

Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22

The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r").  It will return 0 on success and 1 on failure.

Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271

Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians

Tom

160 Posts
ISC Handler
Warning; These two EXEs do not have a Vista manifest, ergo they use Virtualization on Vista.

What does this mean? If you run them on Vista, you'll actually be writing to [HKEY_USERS\S-1-5-XX-XXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXX\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility]

thanks
http://securitymario.spaces.live.com/
Anonymous

Sign Up for Free or Log In to start participating in the conversation!