Re: new internet explorer exploit (was new worm)

From: Jelmer (jkuperus_at_planet.nl)
Date: 03/30/04

  • Next message: Nick FitzGerald: "Re: new internet explorer exploit (was new worm)"
    Date: Tue, 30 Mar 2004 13:00:29 +0200
    To: Void <void@sect.net>, full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
    
    

    And even that small measure of warning is trivially defeated

    if I change the url in my exploit.htm from

    ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm

    to

    &#109;s-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm

    It gives no warning whatsoever, proofing once again that you shouldn't
    solely rely on virus scanners, though others might do a better job, I can't
    imagine anyone doing it worse

    ----- Original Message -----
    From: "Void" <void@sect.net>
    To: "Jelmer" <jkuperus@planet.nl>; <full-disclosure@lists.netsys.com>;
    <bugtraq@securityfocus.com>
    Sent: Monday, March 29, 2004 9:15 PM
    Subject: Re: new internet explorer exploit (was new worm)

    > Just wanted to add that Norton Anti-Virus 2004 will detect this exploit
    and
    > pop up a warning, but also fails to halt its execution or protect the user
    > in any way.
    >
    > Here is what it thinks it is:
    >
    >
    http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html
    >
    > So there is some measure of warning, but no real protection.
    >
    >
    > At 04:35 PM 3/29/2004 +0200, Jelmer wrote:
    > >The code used by this worm to exploit it's users at least partly is (i
    > >think) new , the vulnerability it abused has afaik not been published on
    > >eighter bugtraq or full-disclosure. possibly making it (one of?) the
    first
    > >worm to totally catch people offguard.
    > >
    > >It allows a mallicious person to take any action on an unsuspecting user
    who
    > >view's a specially prepared page's pc
    > >
    > >The known ingredient it uses is :
    > >http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/1758.html
    > >that has gone unpatched for over 5 months now
    > >
    > >The remainder of the exploit manages to confuse this same adodb.stream
    > >object enough to make it think it's being run from a local location
    > >
    > >You can protect yourself against it by running
    > >http://ip3e83566f.speed.planet.nl/hacked-by-chinese/fix.reg
    > >
    > >
    > >I attached sample code myself to illustrate the problem, because
    > >http-equiv's was messy :)
    > >This one should be more straightforward to use
    > >
    > >Instructions :
    > >
    > >1. unzip
    > >2. overwrite exploit.exe with the executable you wish to run, or leave it
    > >untoched if you want to see some nice texturemapped rotation
    > >3. upload the files to a webserver
    > >4. view exploit.htm
    > >
    > >Tested on winxp pro all patches
    > >
    > >for the lazy ones among you can also view a demonstration here :
    > >
    > >http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm
    >
    >


  • Next message: Nick FitzGerald: "Re: new internet explorer exploit (was new worm)"

    Relevant Pages

    • Re: Microsoft Office has identifed a potential security concern
      ... Microsoft Office has identifed a potential security concern. ... Hyperlinks can be harmful to your computer and data. ... How can I get rid of the warning? ... There is built in warning systems and what not to protect the ...
      (microsoft.public.windowsxp.general)
    • Re: VB6, VB2005, or Something Else?
      ... Protection is just to protect some critical parts of the system by ... what to do when they see "Security Warning" popups. ...
      (microsoft.public.vb.general.discussion)
    • Re: Help: hard drive issue
      ... The problem is I boot it to single user model from CD, and I do disk analyze ... And now I can't even boot it up, here is what I got, it just stuck there. ... WARNING: ufs log for / changed state to Error ... Write protect error during write ...
      (comp.sys.sun.admin)
    • [Full-Disclosure] Re: new internet explorer exploit (was new worm)
      ... It gives no warning whatsoever, proofing once again that you shouldn't ... but also fails to halt its execution or protect the user ... >>It allows a mallicious person to take any action on an unsuspecting user ...
      (Full-Disclosure)
    • Re: new internet explorer exploit (was new worm)
      ... It gives no warning whatsoever, proofing once again that you shouldn't ... but also fails to halt its execution or protect the user ... >>It allows a mallicious person to take any action on an unsuspecting user ...
      (Bugtraq)