Re: Six Step IE Remote Compromise Cache Attack
Date: Wed, 5 Nov 2003 16:32:04 -0000 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I can confirm the below on a brand spanking new, 3 week old, top-of-
the-line machine with Windows XP Home edition, customised, with every
conceivable patch, security pack, gadget enabled updating twaddle it
comes with and installed to date.
I demand a refund from the vendor ! This is a disgrace. 2 year old
remnant bugs and holes unattended culminating in this full and
complete remote takeover via a web page [again !]. 5 Million dollar
bounties to chase ghosts in the closets wasting law inforcement's
valuable and over-worked time, when it can be better spent on
bounties for bugs and repairing of product I have been duped into
Six Step IE Remote Compromise Cache Attack
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30
A six step cache attack has been found which allows for remote
compromise of systems running Internet Explorer merely by viewing
This attack is possible partly because of the bugs in Internet
Explorer which remain unfixed. The oldest of these bugs is
almost two years old.
A little something old. A little something new.
Some Kung Fu.
The below demo runs a harmless, demonstration executable on your
Note: This demo has not been found to work on all systems. This seems
to be primarily because of the wide divergence in the placement of
folders. A more universal exploit is possible, but too time consuming.
a simple game - It goes a little something like this...
Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone
then, in MYCOMPUTER zone:
A. use IFRAME to load MHT file which contains payload EXE, then the
file is stored in IE cache.
B.2. use "Redirection and Refresh in Iframe parses local file" to
cache index file:
%USERPROFILE%/Local Settings/Temporay Internet
( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm)
double slash trick is also needed to make the parsed document
( Liu Die Yu's:
C.1. and we get random directory names(like 9OKV91KH), and we get all
of our payload EXE.
C.2. and we check these URLs with "script src":
(Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html)
D. when we get a valid local URL pointing to the payload, launch it
CODEBASE plus "double slash"
( Liu Die Yu's:
A little complex. A little simple.
Move your Temporary Internet Files from its' default location:
Tools -> Internet Options -> Temporary Internet Files -> Settings ->
Liu Die Yu - exploitation;
Dror Shalev developed ASP part of the code in the demo;
Liu Die Yu wrote the first version of this document;
the Pull improved the quality of this document;
All of the researchers named in "technical details";
Microsoft, for not fixing their bugs;
Drew Copley, dror, guninski and mkill.
"My only badge is my conscience. Guns back a badge, but
hellfire backs the conscience." -- Anonymous ;)
all mentioned resources can always be found at UMBRELLA.MX.TC
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
I would like to work professionally as a security researcher/bug
See my resume at my site. I am very eager to work, flexible, and
extremely productive. I have a top notch resume, with credentials
from leading bug finders. I am willing to work per contract,
-- http://www.malware.com ---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----