[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000601c44d77$e2ec23f0$3200000a@alex>
From: jkuperus at planet.nl (Jelmer)
Subject: [sb] RE: Internet explorer 6 execution of
arbitrary code (An analysis of the 180 Solutions Trojan)
> Can you proof me wrong?
I'll give it a shot
Before sp1 you could simply load any local file into an iframe, then they
realized well this is a security risk and they removed that ability in sp1
There have been 5 issues found that circumvented this restriction (that I
know of)
1) Thor took a look at a prerelease SP1 and added his 2 cents
http://seclists.org/lists/bugtraq/2002/Sep/0090.html
One of the few times he was actually helpfull
It turned out that using a serverside redirect you could still access local
resources, This is very much like what you are seeing here
Microsoft then proceeded to correct this
2) Another issue popped up, this time by mindwarper
Load a file that does a redirect to a local resource in an iframe, reload
refresh the contents and presto your in, it renders it
3) the shell protocol allows access to local resources like this <iframe
src="shell:profile/bla.htm"> Eiji James Yoshida found this
http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html
4) Arman Nayyeri found that showHelp let you access local chm files
http://www.security-corporation.com/articles-20040103-003.html
5) what I describe in the analysis, it's exactly the same as 1) with one
distinction it uses an URL: prefix, IE doesn't see an file , ms-its, res etc
protocol so assumes it's ok , and lets it pass
It's nothing like the refresh issue 2) (since there is no refresh)
Nor is it anything that roozbeh describes, nice it uses scripting this is a
serverside redirct
However no it's not strange that you have this feeling of d?j? vu, it's a
variation of Thor's find. Microsoft patched it, overlooked this variation,
the author of this Trojan caught it effectively making it a new thing (tm)
Note I got this wrong in the analysis and will probably update it
As for Roozbeh Afrasiabi's posts just ignore them... really just do it
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of BoneMachine
Sent: dinsdag 8 juni 2004 15:29
To: huber@...t.webmailer.de; jkuperus@...net.nl
Cc: full-disclosure@...ts.netsys.com; peter@...lomatmail.net
Subject: Re: [sb] RE: [Full-Disclosure] Internet explorer 6 execution of
arbitrary code (An analysis of the 180 Solutions Trojan)
Hi Jelmer,
I've read your analysis of the trojan of 180 solutions and noticed the
statement that this issue uses two zero day exploits.
I'm trying to monitor and register IE vulnerabilities and have a strong
feeling I've seen the Location header execution before.
Just to be sure, are you aware that:
- Liu Die Yu discards the local protocol issue as a refresh issue:
http://www.safecenter.net/UMBRELLAWEBV4/IredirNrefresh/IredirNrefresh-MyPage
.htm
- Roozbeh Afrasiabi created a paper about vulnerabilities in IE. One of the
vulnerabilities uses the following statement in the example code :
target.location="ms-its:\\ntshared.chm::/copyright.htm";
The posting to bugtraq can be found at :
http://archives.neohapsis.com/archives/bugtraq/2004-05/0109.html
To me these issues and your URL: issue seem the same and afaik no patches
for these issues had been provided.
Can you proof me wrong?
vriendelijke groet
Bone Machine
Powered by blists - more mailing lists