[Full-Disclosure] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

From: Jelmer (jkuperus_at_planet.nl)
Date: 06/08/04

  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] another new worm submission"
    To: "'Gadi Evron'" <ge@linuxbox.org>
    Date: Tue, 08 Jun 2004 02:48:50 +0200

    >> Just when I though it was save to once more use internet explorer I
    >> an email bringing my attention to this webpage
    >> that according to him used an
    >> exploit that affected fully patched internet explorer 6 browsers. Being
    >> rather skeptical I carelessly clicked on the link only to witness how it
    >> automatically installed addware on my pc!!!

    >So, you just clicked on the link which was reported as unsafe, did you? :)

    Yes I did, I am not saying that it was a bright thing to do, but this was on
    my home pc I really didn't have much to loose I use it to play games read
    email, browse the web do some coding,
    Addware I can handle, it's usually pretty easy to remove once you know how
    it works

    >Those protocol handlers always seem to cause problems and it's not just
    >on Windows, Apple has had just as many problems in dealing with these
    >for OS X.

    Agreed they are a persistent pain in the ass

    If it's not a lack of input validation then it is a lack of
    >zone restrictions, perhaps the entire concept of higher privileged zones
    >of any kind should be abandoned.

    >Are these really new vulnerabilities or just variants of old? The
    >"Location: URL:" proxy really just looks like the "Location: File:"
    >proxy that Liu Die Yu reported

    Yes it's a lot like the file proxy
    But surely you won't argue protocol proxying itself is vulnerability, it's a
    feature, the vulnerability was that Microsoft engineers forgot to take it
    into account in *that particular instance*,

    Liu die yu found out that you could inject javascript code in the search
    pane res file using file:

    These folks found out that you can use url:ms-its to do a redirect to a
    local file

    Surely this is a different thing! , If someone found a bufferoverflow
    somewhere and the next year someone found another one in an entirely
    different segment of code, you'd argue that it's the same thing??
    Well they both used strcopy insecurely blah bla.. c'mon

    >and the object caching stuff really just
    >looks like a variation of the advisories from GreyMagic back in 2002
    >with the showModalDialog caching and javascript: injection. Other than
    >those 2,

    No its waaaaaaay more sophisticated than the method caching stuff I've
    looked at it some more and there seems to be some really wacky stuff going
    on. I suspect they had a look at the leaked IE source, I'll probably have to
    update the analysis a bit if I can figure it what the hell it is they're

    And again each and every one of the method caching vulnerabilities liu and
    greymagic found where separate flaws, a separate oversight by Microsoft

    >the only real vulnerability on the page is the Ibiza chm stuff
    >which still works on plenty of fully patched machines.

    and what would that be??
    Ibiza brought only a single new thing to the table and this is nothing like
    it for the rest it build on old vulnerabilies, infact it was a variation of
    one of my exploits , surely you knew that didn't you?

    >> Now there had been reports about 0day exploits making rounds for quite
    >> time like for instance this post
    >> http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0

    >Why is this a 0-day? Are you trying to start a holy war here? Please
    >explain why this is a 0-day if you make such claims.

    It uses 2 new vulnerabilities that where

    - not reported on any security list (afaik)
    - first encountered in the wild
    I won't argue semantics here but that's the reason why I chose to slap that
    label on it

    >> However I hadn't seen any evidence to support this up until now
    >> Thor Larholm as usual added to the confusion by deliberately spreading
    >> disinformation as seen in this post
    >> http://seclists.org/lists/bugtraq/2004/May/0153.html

    >Thor? Spreading disinformation?

    Yes but only when he isn't blatantly lying

    >> Attributing it to and I quote "just one of the remaining IE
    >> that are not yet patched"

    >That sounds about right.

    Like I said these are 2 new issues, at best they are the same class of
    vulnerabilities we have seen previously but they are not variations!

    >> I've attempted to write up an analysis that will show that there are at
    >> least 2 new and AFAIK unpublished vulnerabilities (feel free to proof me
    >> wrong) out there in the wild, one being fairly sophisticated

    >I, personally, appreciate any serious research work, but why put down a
    >colleague while you're at it?

    >> You can view it at:
    >> Additionally you can view a harmless demonstration of the vulnerabilities
    >> Finally I also attached the source files to this message

    >If this really was a 0-day, isn't that a tad irresponsible?

    So we are back to the full disclosure, limited disclosure, no disclosure
    etc.. debate again, how trite

    >As to Thor...

    >You are claiming that he is deliberately spreading disinformation, but
    >then you proceed to verify his claims.

    Verify?? These issue's weren't reported before they are new, thor is full
    of crap and my post proofed it, it's unfortunate that you fail to comprehend
    this perhaps you lack the expertise in this particular niche of security
    research to tell the difference

    >Are you sure you don't just have a personal vendetta against him?

    No it's nothing personal it's just my general way of treating dishonest
    individuals, there I many many reasons why I dislike pivx, but I don't think
    this is the appropriate forum to vent them

    >I don't see what's wrong with him pitching his product (Quik-Fix (?))
    >when reporting his research. That's how the industry work.

    >You do research and advertise the company that did it, and what solution
    >it offers.
    >Working for free doesn't put food on the table and he has a product that
    >might actually protects against such issues. What's next, you will
    >complain about AV companies who say they detect a virus or security
    >researchers that get paid to work instead of living off the street
    >credit from the security mailing lists? Maybe you just don't like
    >companies of any kind.

    Ok what you have to understand is that Qwik fix is a collection of 5
    registry patches nothing more, nothing less.. (run regmon, filemon while
    running it and verify this) I can accomplish the same task by clicking on a
    .reg file

    They slapped a nice frontend on it some corporate branding, made it
    available for free, pivx has some exposure, the user has a saver pc,
    everybody wins, and that's all ok with me so far

    But ask yourself how seriously can you take a company that names 5 registry
    patches their flagship product??

    Now they are trying to cash in on it by providing a pro version of the
    product. They wrote a freaking 16 page whitepaper explaining the business
    benefits of 5 registry patches!!!


    I had this argument with someone before who asked me the same thing, he
    asked me why do you dislike pivx so much,

    doesn't their product work?
    Well I had to admit that it did

    Well isn't it worth the money then?
    Well again I had to say, this can save your company a lot of $$

    So you dislike them so much?

    I finally got thru to him with the following analogy

    What if someone offered to sell you a bottle of water for $400 would you buy
    Well hell no he replied.
    To which I replied doesn't it relief your thirst then?
    Doesn't it come with all sorts of minerals and stuff and keeps you alive?

    It are just 5 registry patches, they are charging money for 5 registry
    patches!!!, Much like selling water at $400 the bottle it is not illegal,
    but anyone would agree that such a person would be a conman, and conmen pivx

    Their product is closed source so it makes it difficult to know what it
    does, they make the progress bar move really really slow when applying these
    fixes so it looks as if there is some heavy wizardry going on etc etc..

    I dislike conmen they rub off badly to the rest of the people who have real
    products to sell and put a lot of work in them (for clarity I am not a
    competitor to me it's all fun and games) but surely you can sympathize with

    >As to the research itself...
    >Thor went through the hnc3k.com website and listed all the pages and
    >vulnerabilities on it, which sounds like an exhaustive task to me.

    Sure he put in a lot of work, but came up empty!
    *ALL* of the stuff he listed where old exploits long rendered useless by
    Microsoft patched, yet he managed to reach some miraculous conclusion

    The evidence did not match the conclusion, I encourage you to click on any
    of the links he provided in that post with a fully IE6 on winxp, there's a
    20 euro bill with your name on it if you get infected by anything but the
    common cold.

    >But didn't you do the same and when analyzing the 180 solutions Trojan
    >pages? It sounds pretty exhaustive as well.

    >The difference is that Thor also told you how to protect against this,
    >by locking down the My Computer zone. I can't see anywhere that Thor was
    >referring to the object caching vulnerability you are listing as new. In
    >my mind, he was referring to the old Unpatched page that he used to
    >maintain and that would mean he said some of those are still not patched.

    >I miss that page. It was very good.

    Yes interesting that that more or les coincided with the Microsoft logo
    popping up on their client list http://www.pivx.com/clients.html
    Oh and liu maintains a similar list now, you might want to check it out
    though it's updated as frequently as I'd like, maybe I'll start my own who

    >We know that Ibiza still works

    Talk is cheap and words are plenty where's the proof of that?? , this is
    entirely different, the only thing they share is my adodb.stream code so you
    can't be referring to my post as proof that "Ibiza" still works

    So can you show me the code for an Ibiza variation that still works?

    >and that there are still problems with
    >the SSL certificate handling in IE, don't you think he was just
    >referring to those? From this side it really just looks as if you are
    >trying to deal a low blow against Mr. Larholm because you have some
    >personal grudge against him.
    >I hope I provided you with information to re-think your claims. Also,
    >please try and keep your grudges to yourself where 50K plus busy people
    >need to sift through vital information?

    I probably saved you and these 50K others work by doing this write-up, for
    free I may add. And I'll bloody well write whatever I like in it, if you
    come half way and realize the signal to noise ratio is too high for you,
    stop reading! I am not forcing you to read it.

    I am not adding these remarks to be nasty or offend mr Larholm personally, I
    do think a lot of the stunts they pull are unethical and I'll do everything
    in my power to expose them

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] another new worm submission"