Setslice Killbit Apps

Published: 2006-09-30
Last Updated: 2006-09-30 15:17:50 UTC
by Tom Liston (Version: 4)
1 comment(s)
Well... here we are again...  seems like only last week, I was putting up killbit apps for "daxctle.ocx"... 

(and really, it was 10 days ago... sheesh, how time flies!)

Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue.  Note: we've tested these settings against the Metasploit project's test page, and they work.  Because MS hasn't released any information as of yet, we're sort of flying blind here...  However, that being said, the killbit method is great, because it is completely reversable.

There are two versions of the app, one a standard Windows program, the other a command-line version. 

The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)

Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22

The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r").  It will return 0 on success and 1 on failure.

Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271

UPDATE: Should anyone need to know, the CLSIDs that these apps are setting the killbit on are:

{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}

(Thanks to Mark for pointing out that I forgot to put that in the diary entry...)

Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians

New diary link: http://isc.sans.org/diary.php?storyid=1747

Keywords: killbit setslice
1 comment(s)

Comments

Warning; These two EXEs do not have a Vista manifest, ergo they use Virtualization on Vista.

What does this mean? If you run them on Vista, you'll actually be writing to [HKEY_USERS\S-1-5-XX-XXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXX\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility]

thanks
http://securitymario.spaces.live.com/

Diary Archives