lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200404062156.i36LuvW9001159@web129.megawebservers.com>
From: 1 at malware.com (http-equiv@...ite.com)
Subject: IE exploit going around on irc


<!-- 

I thought you were already aware of the text/x-scriptlet
object variation of Ibiza which was exploited in the wild before 
Ibiza
was even discussed on Bugtraq

 -->

Really? I be most interested in seeing a reference to that.  The 
time-line I have is:

1. On Wednesday, February 11, 2004 3:21 AM someone sent me a 
link to  www.ibiza-victoria.com  which was riddled with images 
and iframes pointing to the chm file. At the time nothing 
happened when viewing it as it used the object code base in the 
chm to trigger which was patched on XP, as a result no further 
examination took place.

2. Liu Die's fake mhtml redirect was published on December 2003 
along with minor mentions of similar fake file tricks prior to 
that.

3. On Sat Mar 27 2004 - 13:17:45 CST the "new worm?" thread was 
posted on bugtraq. At the time I took Internet Explorer to the 
address and port mentioned in the post and actually infected my 
self. Closer examination revealed the exact same technique as 
ibiza that is with iframes and images used to render, draw to 
the cache and refresh in order to activate it.

4. Trying to reproduce on my server failed and at that time I 
placed it in an object with type="text/x-scriplet" without the 
need for refresh or images to cache the file or iframes to 
render it. Hence my notation with the demo of a more robust 
method.

5. Punching in <object data="ms-its:mhtml: to google which is 
the core of this, reveals nothing prior to April. That is object 
with type="text/x-scriptlet and referencing a non-exsistent 
mthml file inside a chm to redirect to the local file.

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%
3Cobject+data%3D%22ms-its%3Amhtml%3A&btnG=Search

Therefore when and when exactly was this same technique used 
prior to ibiza being posted on bugtraq.

This is not about semantics but accuracy in security which 
without it, leads to insecurity or no security at all.


-- 
http://www.malware.com




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ