Another detail on LYNXOPTIONS:// and bypassing evil configuration options to victim's browser - attack scheme could be even easier and can be done remotely. First of all, ask user to check his/her configuration, as stated in previous post (let's call this webpage A.html). Then, supply link to another webpage, containing evil form with configuration (B.html, see previous post for details). Value of "secure" field can be guessed easily - it's increased every second (huh, that's the way clock works ;). Victim's system time can be precisely estimated with help of it's MTA subsystem, so you can synchronize your clock with a little bit of shrewdness. Wait for GET request on A.html from victim, assume eg. +4 seconds to read and understand text (and to press "O", this time is my blind assumption, probably some real-life test are helpful... but IMHO this time will be constant for maybe 95% requests, if webpage is designed properly and user won't need too much time to understand what user should do). Now, time difference (in seconds) between your and their system clock + time(0) return value at the time of GET request + your estimation (4 secs mentioned above) is "secure" value. Rebuild B.html by inserting proper "secure" field. Form fields should be hidden, some bogus text with big, good-looking 'submit' button will help. Now, the most interesting thing - by putting funny 'preffered charset', 'preffered language' and 'user agent' fields into form (I've tried with >64kB of 'A's, but probably it could be much smaller), you'll cause beautifully exploitable stack overflow while viewing next webpage after pressing Big Button on B.html. After submitting configuration, last webpage is automatically reloaded, that's enough. No need to modify 'editor' or anything else and wait. Program received signal SIGSEGV, Segmentation fault. 0x4009ab97 in strcpy () (gdb) info stack #0 0x4009ab97 in strcpy () #1 0x80b802b in _start () #2 0x41414141 in ?? () Cannot access memory at address 0x41414141. Yes, it's much more social (reverse ;) engineering than hacking, all of these processes have to be automated and still you don't have 100% certainty, but those hacks where user reactions have critical meaning are the most interesting :) _______________________________________________________________________ Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:19 PDT