Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Window Injection Vulnerability in Browsers/Request for Specific UDP Fragment Data - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Window Injection Vulnerability in Browsers/Request for Specific UDP Fragment Data
Multiple Browsers Affected by a Window Injection Vulnerability

You may have already heard of a vulnerability, announced by Secunia on December 8th, which affects all commonly-used browsers. The vulnerability allows a website loaded in one browser window to control a pop-up that is opened from another window. The danger here is that a malicious site can spoof contents of a pop-up window that is opened from a trusted site, particularly in the context of phishing attacks.

We tested Secunia's proof-of-concept exploit code with Firefox, Internet Explorer, and Opera. The exploit worked as advertised. The workaround suggested by Secunia is: Do not browse untrusted sites while browsing trusted sites.

We found another workaround that seems to work for users of Firefox: Install the Tabbrowser Extensions extension for Firefox. This extension allows Firefox users to control tabbed browsing features. Our limited tests suggest that installing this extension with default options makes Firefox immune to the proof-of-concept exploit.

The Secunia advisory:

http://secunia.com/secunia_research/2004-13/advisory/

The Secunia proof-of-concept exploit to test your browser:

http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

The Tabbrowser Extensions extension for Firefox:

http://piro.sakura.ne.jp/xul/_tabextensions.html.en

Request for Specific UDP Fragment Data

My fellow handlers are in the process of analyzing the odd UDP packets that we've discussed in the past few diaries. Thank you to everyone who has shared their traces with us. We hope to provide you with a comprehensive analysis as soon as we correlate and analyze the data we've collected.

We have enough generic data for now; however, we would like to take a closer look at certain types of packets. If you have seen UDP fragments with the TTL value of 57 or higher that came from the 83.102.166.0 network, please send us your trace. If sending the packets to us, please indicate the name of your upstream provider, if you can. Also, please tell us whether it's OK for us to share the IP addresses that you saw and the TTL values with a group of ISP security professionals.

You can capture such UDP "interesting" traffic using the following Tcpdump filter:

src net 83.102.166 and \

(ip[6] & 0x02 = 0 and ip[6:2] & 0x1fff !=0) and \

((ip[8] > 56) or (ip[2:2] != 45))

You can capture such UDP "interesting" traffic using the following Snort signatures:

alert ip 83.102.166.0/24 any -> any any \

(msg: "ISC Handlers - UDP Frag Hunt - Narrowing TTL"; \

byte_test: 2,=,45,2; \ # len = 45

byte_test: 2,=,64,6; \ # fake frag

byte_test: 1,>,56,8; \ # ttl higher than 56

content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|";) # DNS root NS query

alert ip 83.102.166.0/24 any -> any any \

(msg: "ISC Handlers - UDP Frag Hunt - Bigger Packets"; \

byte_test: 2,>,45,2; \ # len > 45

byte_test: 2,=,64,6; \ # fake frag

content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|";) # DNS root NS query

Thanks to handler Erik Fichtner for putting these signatures together.

Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com
Lenny

216 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!