[25274] in bugtraq
RE: Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list)
daemon@ATHENA.MIT.EDU (Menashe Eliezer)
Fri Apr 26 01:55:00 2002
Content-Class: urn:content-classes:message
From: "Menashe Eliezer" <menashe@finjan.com>
To: "3APA3A" <3APA3A@SECURITY.NNOV.RU>
Cc: "Bugtraq" <bugtraq@securityfocus.com>,
"vuln-dev" <vuln-dev@securityfocus.com>
Date: Thu, 25 Apr 2002 19:18:20 +0200
Message-ID: <LCEKKNCFAOCLGCBMIOFBOELECAAA.menashe@finjan.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
In-reply-to: <146434456124.20020425125144@SECURITY.NNOV.RU>
The vulnerabilities' list is accessible even by unprivileged user account.
The ability of active content to access this report depends on
security setting of the browser.
For example, signed ActiveX that runs in browser with low security
setting, doesn't need user's approval. User can also choose not be asked
whether to launch ActiveX that is signed by a specific signer. In such case,
there's no need for low security setting of the browser.
The ActiveX doesn't have to be safe for scripting. The ActiveX can do
anything
without being scripted at all.
You can access this report even without active content.
All you need is a limited exploit that just allows you to read a file.
Deus Attonbitus wrote:
DA>but the script would also have to be able to discern the currently logged
DA>on user in order to see where to look in the "Documents and Settings"
tree.
1. Discern the currently logged on user - It's a simple Win32 API.
2. Code can simply look for "Security Scans" folder in tree.
Regards,
Menashe.
-----Original Message-----
From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
Sent: Thursday, April 25, 2002 10:52 AM
To: Menashe Eliezer
Cc: Bugtraq; vuln-dev
Subject: Re: Microsoft Baseline Security Analyzer exploit (Exposed
vulnerabilities' list)
Dear Menashe Eliezer,
Sorry for asking, but it's unclear from advisory: is it possible to
access reports with either:
1. ActiveX element marked safe for scripting
2. Javascript or VBscript from "Internet" security zone
Examples you give for scripting will only run in local host content, so
this problem seems to be local only (default permissions for sensitive
files) with minimal impact, because analysis of security policy,
registry and file permissions can (mostly) be done by local user with
unprivileged account. In this case risk is low.
--Thursday, April 25, 2002, 5:06:32 AM, you wrote to
bugtraq@securityfocus.com:
ME> Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities'
list)
ME> Finjan Software Security Advisory
ME> URL: http://www.finjan.com/mcrc/alert_show.cfm?attack_release_id=71
ME> April 24, 2002
ME> Risk: Medium
ME> -------------
--
~/ZARAZA
Человек это тайна... я занимаюсь этой тайной чтобы быть человеком.
(Достоевский)
