lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001c44c42$b0da5e30$3200000a@alex>
From: jkuperus at planet.nl (Jelmer)
Subject: Internet explorer 6 execution of arbitrary code
 (An analysis of the 180 Solutions Trojan)

Most recent exploits are like vehicles, they are assembled piece by piece,
you can make a virus scanner detect the wheels, but a car, a bus and a bike
are most certainly entirely different things! Yet none of them are any good
without wheels, oh and in this case painting the wheel another color would
circumvent detection, it's just that trivial, virus scanners are pretty
useless against these type of attacks


>From the psysm description:

"The vulnerability allows for the writing, and overwriting, of local files
by exploiting the ADODB.Stream object"

As I wrote in the analysis, this exploit uses both known and unknown
vulnerabilities. What is detected as psysm (the wheels) is what I described
in this post

http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html

And is used in this exploit as well
However this flaw that has gone unpatched for many many months, only works
when run from a file on the local hard drive!, so essentially it's a useless
find unless you can complement it with one or more other vulnerabilities

Over the past couple of months it's been combined with many an exploit

I used it in combination with one of liu's finds
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009992.html

Andreas sandblad used it:
http://www.forbiddenweb.org/viewtopic.php?t=5242&view=previous

Mindwarper used it:
http://www.securityfocus.com/archive/1/342471

Some unknown person used it in the wild and wrote a worm, http-equiv did a
writeup on it
http://seclists.org/lists/fulldisclosure/2004/Mar/1404.html

many many more people used it

But it are all separate exploits and none of the formentioned ones work
anymore they have been patched and dealt with, well except on thor's pc
naturally ;) but thor deserves only mockery





-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Larry Seltzer
Sent: maandag 7 juni 2004 4:43
To: 'Jelmer'; bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com; peter@...lomatmail.net
Subject: RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary
code (An analysis of the 180 Solutions Trojan)

>>Finally I also attached the source files to this message

My McAfee-based gateway scanner blocks the attachment and labels it as
"VBS/Psyme",
which has this description
(http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100749): 

"This trojan exploits an unpatched (at the time of this writing)
vulnerability in
Internet Explorer.  The vulnerability allows for the writing, and
overwriting, of local
files by exploiting the ADODB.Stream object.  There are several variants of
this trojan.
Therefore this description is design to give an overview of how the trojan
works.

The trojan exists as VBScript.  This script contains instructions to
download a remote
executable, save it to a specified location on the local disk, and then
execute it."

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
larryseltzer@...fdavis.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ