Date: 25 Nov 2003 10:06:21 -0000
From: Liu Die Yu <liudieyuinchina@...oo.com.cn>
To: bugtraq@...urityfocus.com
Subject: Note for "Invalid ContentType may disclose cache directory"




Note for "Invalid ContentType may disclose cache directory"

This vulnerability("Invalid ContentType may disclose cache directory") doesn't work on all systems.
("Invalid ContentType may disclose cache directory", at http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/)
Please note that execdror6 and LocalZoneInCache also depends on this vulnerability.
(execdror6: http://www.safecenter.net/UMBRELLAWEBV4/execdror6/
LocalZoneInCache: http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/)
I have spent extra-ordinary time on this issue and here is all i know about it:

First, The code was verified to work on a WinXp system(Simplified Chinese version) with all patches.
Then, I sent LocalZoneInCache to HTTP-EQUIV, Dror Shalev and the Pull for testing:
It works on Dror Shalev's WinXp machine(up-to-date) but it doesn't work on the Pull's Win2k system.
(because he set killbit for Adodb.Stream activeX object.)
Soon after that,  HTTP-EQUIV found it does not work on his WinXp system(2-3 weeks old, with the latest IE patch).
Then, to figure out what happened, i formatted disk and installed Win2k3 and WinXp(both Simplified Chinese version) and then applied the latest IE patch.
Both remote compromise cases(LocalZoneInCache and execdror6) don't work any more.
At last,  i reproduced both remote compromise cases on MSIEv6 running on Simplified Chinese WinXp with the following patches:
SP1;Q828750;Q330994;Q824145(a.k.a MS03-048)

If you are using IE, please help me test it and send the result directly to my emailbox.
Thanx in advance.

Powered by blists - more mailing lists