[Snort-sigs] FPs for 4166 (Shell.Explorer) - "common" print functions

Alex Kirk alex.kirk at ...435...
Thu Jan 12 08:14:12 EST 2006


These particular instances appear to be as you say -- legitimate uses of 
an ActiveX object that is prone to abuse. Looking at the BID and CVE 
entries here, it's clear that this object has been implicated as a 
culprit in the IE Drag & Drop vulnerability, which allows for remote 
code execution. While the MS reference may have been a bit unclear -- 
it's there because MS05-014 lists MS04-038 as a necessary prerequisite 
for a workaround, and MS04-038 does contain a fix for a Drag & Drop vuln 
-- I'd say that it's obvious this object can cause some serious problems 
if abused correctly. Hopefully the addition of MS05-014 as a reference 
will make this even more clear.

You may wish to simply disable this rule, depending upon your site's 
ActiveX policies, how up-to-date your patches are, etc. Since there is 
legitimate value in this rule for some people, however, it's unlikely to 
change any time soon.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> Getting lots of alerts on sid:416, "Shell.Explorer ActiveX Object 
> Access".  Using this object is perhaps walking on thin ice, but I am 
> seeing it coming from what I would have thought to be legitimate 
> sources.  Are these just legitimate cases of questionable scripting 
> style?  Some of the flagged text from known sites:
>
> jobsearch.ma.monster.com spits out this script fragment (3 different 
> times):
>
>> {
>> var WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0 
>> CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';
>> document.body.insertAdjacentHTML('beforeEnd', WebBrowser);
>> WebBrowser1.ExecWB(6, 2);
>> //Use a 1 vs. a 2 for a prompting dialog box
>> WebBrowser1.outerHTML = "";  }
>>
> education.uoregon.edu gives us several variations of:
>
>> if (da && !pr && !mac) with (document) {
>>  writeln('<OBJECT ID="WB" WIDTH="0" HEIGHT="0" 
>> CLASSID="clsid:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>');
>>  writeln('<' + 'SCRIPT LANGUAGE="VBScript">');
>>  writeln('Sub window_onunload');
>>  writeln('  On Error Resume Next');
>>  writeln('  Set WB = nothing');
>>  writeln('End Sub');
>>  
>>
> www.smartcomputing.com (sic) has a similar fragment to monster.com's:
>
>> {
>> var WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0 
>> CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';
>> document.body.insertAdjacentHTML('beforeEnd', WebBrowser);
>> WebBrowser1.ExecWB(6, 2);//Use a 1 vs. a 2 for a prompting dialog 
>> box    WebBrowser1.outerHTML = "";  }
>>
> In fact, after seeing that www.cisco.com also spit out something 
> similar, they all contain variations of this function (finally got it 
> all in one packet):
>
>> // Print Function
>> function printit(){  if (window.print) {
>>    window.print() ;  } else {
>>    var WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0 
>> CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';
>>    document.body.insertAdjacentHTML('beforeEnd', WebBrowser);
>>    WebBrowser1.ExecWB(6, 2);
>> // Use a 1 vs. a 2 for a prompting dialog box    
>> WebBrowser1.outerHTML = "";  }
>>  
>>
> And now after looking further still, all are variations on a procedure 
> to print a document on various combinations of platforms and browsers.
>
> Any further detail on what an "evil" incarnation of Shell.Explorer 
> might contain to differentiate it from these examples?
>
> Jeff
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list