[Full-Disclosure] [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

From: Drew Copley (dcopley_at_eEye.com)
Date: 06/11/04

  • Next message: http-equiv_at_excite.com: "[Full-Disclosure] FOUND: COELACANTH: Phreak Phishing Expedition"
    To: <huber@post.webmailer.de>
    Date: Fri, 11 Jun 2004 03:30:52 +0200
    
    

     

    > -----Original Message-----
    > From: Gadi Evron [mailto:ge@linuxbox.org]
    > Sent: Monday, June 07, 2004 1:47 PM
    > To: Jelmer
    > Cc: bugtraq@securityfocus.com;
    > full-disclosure@lists.netsys.com; peter@diplomatmail.net
    > Subject: Re: Internet explorer 6 execution of arbitrary code
    > (An analysis of the 180 Solutions Trojan)
    >
    > Comments inline.
    >
    > Jelmer wrote:
    >
    > > Just when I though it was save to once more use internet
    > explorer I received
    > > an email bringing my attention to this webpage
    > > http://216.130.188.219/ei2/installer.htm that according
    > to him used an
    > > exploit that affected fully patched internet explorer 6
    > browsers. Being
    > > rather skeptical I carelessly clicked on the link only to
    > witness how it
    > > automatically installed addware on my pc!!!
    >
    > So, you just clicked on the link which was reported as
    > unsafe, did you? :)
    >
    > Those protocol handlers always seem to cause problems and
    > it's not just
    > on Windows, Apple has had just as many problems in dealing with these
    > for OS X. If it's not a lack of input validation then it is a lack of
    > zone restrictions, perhaps the entire concept of higher
    > privileged zones
    > of any kind should be abandoned.
    >
    > Are these really new vulnerabilities or just variants of old? The
    > "Location: URL:" proxy really just looks like the "Location: File:"
    > proxy that Liu Die Yu reported and the object caching stuff
    > really just
    > looks like a variation of the advisories from GreyMagic back in 2002
    > with the showModalDialog caching and javascript: injection.
    > Other than
    > those 2, the only real vulnerability on the page is the Ibiza
    > chm stuff
    > which still works on plenty of fully patched machines.

    <snip>

    This is an undisclosed vulnerability which was genuinely found
    in the wild.

    It may utilize some known techniques. It may have some remote
    resemblance to previous vulnerabilities, you mention one of
    Liu Die Yu's old bugs... but most newly posted vulnerabilities
    are somehow derivations of older bugs -- by far and wide. I can
    not think of a new class of bug found in quite sometime.

    "Nothing is new under the sun". Good, old saying.

    You mentioned below something about "starting an Holy War" because
    of this debate -- apparently, some researchers disagreed with each
    other on whether or not this was new. However, it was new, it
    is new, and the issue needs to get patched -- any political or
    "religious" dispute aside.

    So, recap.

    A spyware distributor for a major spyware firm has
    somehow gotten a hold of some genuine zero day -- not an easy
    task. They have used this and are using this to make a lot of
    money from it.

    Spyware distributor's get cash for every system they trojanize --
    much as "click through" banner systems operate. They can make
    a lot of money doing this. They probably are not cognizant of
    the fact that this kind of unauthorized access on a mass scale
    is an extraordinary crime prosecutable in any country. If they
    were, they would just use this to do credit card scams -- much
    more payback, just a little bit more illegal.

    -- 
     Sie haben den Sicherheitsboten abonniert.
     http://sicherheitsbote.net
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: http-equiv_at_excite.com: "[Full-Disclosure] FOUND: COELACANTH: Phreak Phishing Expedition"