Expect this article on this website within few days. It will be posted in Parts.

“This issue is caused due to a memory corruption error in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.”

source: VUPEN

Exploit has been added to metasploit. See a screenshot :

Vulnerable  Products :

Microsoft Internet Explorer 6
Microsoft Internet Explorer 7

Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (32-bit) Service Pack 2
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (x64) Service pack 2
Microsoft Windows Server 2008 (Itanium)
Microsoft Windows Server 2008 (Itanium) Service Pack 2

Prevention:

Disable Active Scripting.

Patch:

Not available till date.

If you want to check your browser against CSS vulnerabilities, you may visit :

http://digitaloffense.net/tools/see-ess-ess-die/cssdie.html

Follow the instructions carefully and click on test being sure of the risks.

At this time, when India is  reaching the heights in  Sensex and GDP and aspiring to be in the developed nations’ list, one thing that really pisses me off is India’s unawareness and disinterest in the Information Security dept., atleast the poorly configured govt. websites reflect this. When I encountered the vulnerability in the server at hosting.bsnl.in ( subdomain of bsnl.in, pointing at another server), I out of curiosity, did vulnerability assessment of some of the Indian govt. websites.

The web applications, OS at servers even  the SQL servers are untouched since their first installation. Most of the servers run Windows 2003 ( unpatched or sp1) and flaunt their vulnerability like anything.( No surprise why they get hacked !)     Most of the time I could carry the port scan without using   -PN parameter ( on nmap).

When I first tried to inform the officials at BSNL regarding the vulnerability, I was set aback by their response. They did not even understand what I was talking about ! It took me sometime to make them understand what I meant.

Some of the  govt.  websites  that gave me admin privileges are :

subdomain at          easternrailway.gov.in , rajasthan.gov.in and ofcourse,       hosting.bsnl.in ( not accessible now though the server exists)

My conversation (on phone) with an officer at eastern railways :

———————————————————————————————————————————————————————————————————————————————————-

Me :   Hello Sir, is this  the DG ?

Officer :  Who is this ?

Me: Sir, I want to report a vulnerability in your website.

Officer:   what vulnerability, what website ? (he mispronounced “vulnerability“)

Me: Can I talk to the DG ?

Officer: Sir is out for some official work.

Me:  okay, please inform him and ask him to check his email.

( I could listen his chatting with his colleagues in bengali I think, he was saying ” Someone is talking about the website“)

Me: Ok thanks…

————————————————————————————————————————————————————————————————————————————————————————

Anyway, I have informed the  web-masters of the respective websites about the vulnerability and as a proof attached the videos of the successful logins.  I have preserved the videos demonstrating the hacks and wish to publish them here provided the servers get patched.

It is  really annoying when some terrorist organizations hack the websites and leak the confidential data…..

Admins, Wake up Now or get shamelessly hacked every now and then !

I was eagerly waiting for BSNL to patch their system so that I could publish this post which shows the hack in action. I could not record the video of the hack since the screen recorder, Istanbul became unresponsive on my Ubuntu OS.

While preparing for a seminar, I came across this website and out of curiosity  Nmapped to find the OS running on the server.  The OS detected was Sun Solaris 10. Then, I tried to check if it is vulnerable to Sun Solaris 10 telnet daemon authentication bypass vulnerability. and found it vulnerable.

Exploiting a vulnerability in Sun Solaris  version 10/11

This is what happened at console.  The exploit worked !!Now, playing a safe game and also being ethical I mailed the description of the vulnerability to the Deputy Director General who also happened to be the webmaster at bsnl.co.in

The email itself contains the information about the vulnerability which saves me the pain of describing it again.

I had to wait for 19 days to publish this post since the upgradation at bsnl.in took the same time.BSNL though late,  showed the reaction Now,   Nmapping bsnl.in  does not show port 23 open.

Note :   I am using Nmap version  5 on Ubuntu jaunty,    compiled it from source !!!!

I could not resist uploading this video, this is one of the most jaw dropping vidoes I have came across.

At TEDIndia, Pranav Mistry demos several tools that help the physical world interact with the world of data — including a deep look at his SixthSense device and a new, paradigm-shifting paper “laptop.” In an onstage Q&A, Mistry says he’ll open-source the software behind SixthSense, to open its possibilities to all.