|
ru.nethack
- RU.NETHACK -------------------------------------------------------------------
From : Yaroslav Klyukin 2:5020/400 28 Jan 2003 07:52:18
To : Alexandr Pristenski
Subject : POP3 сервер
--------------------------------------------------------------------------------
AP> Первое, что приходит на ум:
AP> 1) брутфорс паролей (долго, нудно, неэффективно)
AP> 2) социальная инженерия (как-то неспортивно...)
AP> 3) банальный троян (они не такие тупые как кажутся :)
AP> Все пользуются Outlook Express 5.0
AP> Есть идеи (мне хотя бы в общих чертах)?
Вот навскидку тебе описание одной из уязвимостей интернет эксплорера.
Подкинь им в письме данный ActiveX контроль, или напиши письмо, которое будет
открывать страницу с таковым. Сам не проверял - никаких гарантий не даю.
Microsoft Internet Explorer Legacy Text Control Buffer Overflow
------------------------------------------------------------------------
SUMMARY
MicrosoftR ActiveXR controls, formerly known as OLE controls or OCX
controls are components (or objects) you can insert into a Web page or
other application to reuse packaged functionality someone else programmed.
Whether you use an ActiveX control (formerly called an OLE control) or a
Java object, Microsoft Visual Basic Scripting Edition and Microsoft
Internet Explorer handle it the same way.
DETAILS
An unchecked buffer exists in the ActiveX control used to display
specially formatted text. This could be executed by encouraging an
unsuspecting user to visit a malicious web page including the below code.
<0BJECT
classid="clsid:99B42120-6EC7-11CF-A6C7-00AA00A47DD2"
id=lblActiveLbl
width=250
height=250
align=left
hspace=20
vspace=0
>
<PARAM NAME="Angle" VALUE="90">
<PARAM NAME="Alignment" VALUE="4">
<PARAM NAME="BackStyle" VALUE="0">
<PARAM NAME="Caption" VALUE="long char string">
<PARAM NAME="FontName" VALUE="NGS Software Font">
<PARAM NAME="FontSize" VALUE="50">
<PARAM NAME="FontBold" VALUE="1">
<PARAM NAME="FrColor" VALUE="0">
</OBJECT>
(Note the letter O has been replaced with an 0)
By supplying an overly long value for the "Caption" parameter, a saved
return address stored on the stack will be overwritten allowing an
attacker to gain control of Internet Explorer's path of execution. Any
arbitrary code would execute in the context of the logged on user. By
sending the intended target a specially crafted e-mail or by enticing them
to a malicious website an attacker will be able to gain remote control of
that users desktop.
Или вот еще фишка:
Microsoft Terminal Server Client Buffer Overrun
------------------------------------------------------------------------
SUMMARY
<http://www.microsoft.com /windows2000/downloads/recommended/default.asp>
Microsoft Terminal Server ActiveX client is the ActiveX version of the
standard Windows Terminal Services client. It allows a client to connect
to a Terminal Server from a web page. This allows a web developer to
integrate a Win32-based application into a web page.
There is a buffer-overrun vulnerability in one of the parameters used by
the ActiveX component when it is embedded in a web page. An attacker could
exploit this vulnerability to run malicious code on a target system. The
user would need to open a malicious HTML file as an attachment to an email
message, as a file on the local or network file system or as a link on a
malicious web site. If the malicious HTML file is opened, it will cause
the Active X component to execute the arbitrary computer code contained
within the HTML page with the permissions of the attacker.
Since the Microsoft Terminal Server ActiveX client is signed by Microsoft
and marked safe there is no warning with the default Internet Explorer
security settings if you have previously selected to trust all controls
signed by Microsoft. This is a good example of why not to trust any
ActiveX components from an unknown source. A malicious site could use an
old vulnerable version of the ActiveX control even after the patched
ActiveX component is available from Microsoft. If users install the latest
vendor, cumulative patch for Internet Explorer this problem is eliminated.
DETAILS
Vulnerable systems:
* Microsoft Terminal Server ActiveX Client v5.02221.1
By default the Terminal Server ActiveX client will install itself in a
directory such as 'http://site/tsweb/'. The buffer-overrun condition
occurs when a large string is used for the server name field. We were able
to cause an exception to occur with a long string made up of the letter
'A'. The result was the over writing of EIP with 0x41414141. ESI will
point the buffer of supplied data.
The ID of the component tested was: 1FB464C8-09BB-4017-A2F5-EB742F04392F
Vendor Response:
Vendor has bulletin and patch for Terminal Server
<http://www.microsoft.com/technet/security/bulletin/ms02-046.asp>
http://www.microsoft.com/technet/security/bulletin/ms02-046.asp
Vendor has bulletin and patch for Internet Explorer
<http://www.microsoft.com/technet/security/bulletin/MS02-047.asp>
http://www.microsoft.com/technet/security/bulletin/MS02-047.asp
Recommendation:
You should never open attachments/webpages that come from unknown sources
no matter how benign they may appear. Be wary of those that come from
known sources.
You should consider the benefits and risks of each attachment file type or
ActiveX control that you let into your organization. Attachment file types
or ActiveX controls that you do not need should be dropped at your
perimeter mail gateway or proxy server. Attachments that you choose to
forward on into your organization should be scanned for known malicious
code using a antivirus product.
End users should install the latest Internet Explorer cumulative patch
that sets the Kill Bit on the vulnerable version of the ActiveX component
so it will not execute.
Terminal Server administrators should install the vendor patch to update
the ActiveX component they have available for download. Until this patch
is installed, users who have installed the Internet Explorer cumulative
patch will not be able to access the Terminal Server via the ActiveX
component.
Вообще если порыться, можно еще наковырять...
ICQ# 1045670
--- ifmail v.2.15dev5
* Origin: FidoNet Online - http://www.fido-online.com (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
POP3 сервер 