| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mike at alanpickel.com (Michael Evanchik)
Subject: Re: Six Step IE Remote Compromise Cache Attack
I would first like to commend microsoft on patching the exploit very quickly.
Second I would like to like to say I totally give up on internet explorer an have moved on to Mozilla firebird. Thank you open source!
And now ,for those of you who do not know, here is what Liu Die Yu does not show you in his zip file.
1) take out the function name and brackets and all code below </script> in default.htm and save to make the start automatic
2) open MHT-ldy.mht and open it in notepad.
3) edit the 2 links for the .exe and the shell.htm (read step 4 on how that file is created) file 4o be the exact location of your exe and shell.htm on the server your hosting the pages(most likely you will need full access to the server and freehosts wont work)
5) change the base64 exe code to your own in MHT-ldy.mht and save
6) save it as shell.htm to the same location you have noted in MHT-ldy.mht
7) of course delete all the alert command lines in ScriptBodyJsp.asp
Mike
www.high-pow-er.com
-----Original Message-----
From: http-equiv@...ite.com [mailto:1@...ware.com]
Sent: Wed 11/5/2003 11:36 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Re: Six Step IE Remote Compromise Cache Attack
I can confirm the below on a brand spanking new, 3 week old, top-of-
the-line machine with Windows XP Home edition, customised, with every
conceivable patch, security pack, gadget enabled updating twaddle it
comes with and installed to date.
I demand a refund from the vendor ! This is a disgrace. 2 year old
remnant bugs and holes unattended culminating in this full and
complete remote takeover via a web page [again !]. 5 Million dollar
bounties to chase ghosts in the closets wasting law inforcement's
valuable and over-worked time, when it can be better spent on
bounties for bugs and repairing of product I have been duped into
buying.
Pathetic !
Liu Die Yu wrote:
Six Step IE Remote Compromise Cache Attack
[tested]
OS:WinXp
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30
[Overview]
A six step cache attack has been found which allows for remote
compromise of systems running Internet Explorer merely by viewing
a webpage.
This attack is possible partly because of the bugs in Internet
Explorer which remain unfixed. The oldest of these bugs is
almost two years old.
A little something old. A little something new.
Some Kung Fu.
[demo]
The below demo runs a harmless, demonstration executable on your
system.
http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm
Note: This demo has not been found to work on all systems. This seems
to be primarily because of the wide divergence in the placement of
temp
folders. A more universal exploit is possible, but too time consuming.
[technical details]
a simple game - It goes a little something like this...
Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone
("file-protocol proxy"
*http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-
Content.HTM)
then, in MYCOMPUTER zone:
A. use IFRAME to load MHT file which contains payload EXE, then the
MHT
file is stored in IE cache.
B.1. use file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103} to get %
USERPROFILE%;
(the Pull's: http://www.derkeiler.com/Mailing-
Lists/securityfocus/bugtraq/2002-01/0013.html
)
B.2. use "Redirection and Refresh in Iframe parses local file" to
parse
cache index file:
%USERPROFILE%/Local Settings/Temporay Internet
Files/CONTENT.IE5/INDEX.DAT
( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm)
double slash trick is also needed to make the parsed document
accessible.
( Liu Die Yu's:
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
che-
Content.htm)
C.1. and we get random directory names(like 9OKV91KH), and we get all
possible URLs
of our payload EXE.
C.2. and we check these URLs with "script src":
(Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html)
D. when we get a valid local URL pointing to the payload, launch it
with
CODEBASE plus "double slash"
( Liu Die Yu's:
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
che-
Content.htm)
A little complex. A little simple.
Kung Fu.
[Workaround]
Move your Temporary Internet Files from its' default location:
Tools -> Internet Options -> Temporary Internet Files -> Settings ->
Move Folder
[credit]
Liu Die Yu - exploitation;
Dror Shalev developed ASP part of the code in the demo;
Liu Die Yu wrote the first version of this document;
the Pull improved the quality of this document;
All of the researchers named in "technical details";
Microsoft, for not fixing their bugs;
[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.
[Message]
"My only badge is my conscience. Guns back a badge, but
hellfire backs the conscience." -- Anonymous ;)
-----
all mentioned resources can always be found at UMBRELLA.MX.TC
[people]
LiuDieyuinchina [N0-@...2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
[Employment]
I would like to work professionally as a security researcher/bug
finder.
See my resume at my site. I am very eager to work, flexible, and
extremely productive. I have a top notch resume, with credentials
from leading bug finders. I am willing to work per contract,
relocate,
or telecommute.
--
http://www.malware.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031114/09b294e9/attachment.html
Powered by blists - more mailing lists