Before I begin let me say that I am not to be held in anyway responsible for any actions you may take upon the content herewith. That said, let me get on with it. I have been conducting some research into possible workarounds to avoid any script executions that may occur from exploits of the recently discovered IFRAME buffer overflow vulnerability. Waiting for a patch whilst script kiddies craft better exploits just isn't an option. Full stop end of story. Sorry, period and end of story to my American counterparts! I have been working with this exploit.
I changed the default security settings on an IE6 SP1 client so that the "Internet" zone had Active Scripting disabled, this caused IE6 to crash in a less than graceful way, however, the exploit did not load and a netstat -a proved that the command shell was never opened on port 28876. These findings are in contrast to those found when Active Scripting was set to enabled (the default) where a command shell did open on port 28876. The impact of disabling active scripting takes us back quite a few years in terms of internet browser functionality, but for some of you this may be a much needed last resort whilst the wait for an effective security patch from Microsoft continues. Yesterday was patch day and there was no mention of a patch for this vulnerability. We wait.
My biggest worry is that this exploit and others like it use the NOP slide or No-Operation slide buffer overflow technique, this is easily detected by SNORT's heuristics and other intrusion detection systems but what happens when the buffer overflow implements normal commands (Non-NOP), not only do we have vulnerable systems but we also have very little in the way of detecting a system compromise. Is anyone else out there scared?
Comments