I was working my ass off to try and get CVE-2008-1447 up for demo. However, I am still quite unable to execute it within a reasonable time. I sure hope they have better luck than me at Blackhat 2008. But to talk about the ends of the means, I find out there was a much much easier way to execute DNS hijack without using CVE-2008-1447. Yes, the treasure is CVE-2008-2281. And yes, its still NOT fixed even today! Works for all your favorite IE6, IE7 and IE8. I would want to shoot down Firefox eventually, but for now. This will have to be it...
Well, what I am going to demo here is not state-of-the-arts and neither it is 0-day. Well, at least the vulnerability is not 0-day, but the way to make use of this sure is... :) CVE-2008-2281 is just a less critical or low vulnerability. But combine with the newly release Evilgrade (well, I could had done it with my own web server too, but why waste time on things that others had already done up for you?).
A bit of background on the 2 things I will use here. CVE-2008-2281 is referred to as the Print Table of Links vulnerability. I will put up some links about this at the end of this. But in short, this affect you when you print using IE6,7,8 (beta for now) and under options, select "Print Table of Links". By far, only librarian uses them as far as I know.
The second thing I use is call Evilgrade. In short Evil upgrade. It can emulate upgrade servers of popular software from Java, Winzip to many others. Windows Updates is not possible due to the signing of the package. (For Now). So I guess you already know what I am going to do...
Well, keep guessing. But I will release my video soon as soon as I get the recording working.
No comments:
Post a Comment