Re: Six Step IE Remote Compromise Cache Attack
http-equiv_at_excite.com
Date: 11/05/03
- Previous message: Russ: "MinorRev: Microsoft Security Bulletin MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 5 Nov 2003 16:32:04 -0000 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I can confirm the below on a brand spanking new, 3 week old, top-of-
the-line machine with Windows XP Home edition, customised, with every
conceivable patch, security pack, gadget enabled updating twaddle it
comes with and installed to date.
I demand a refund from the vendor ! This is a disgrace. 2 year old
remnant bugs and holes unattended culminating in this full and
complete remote takeover via a web page [again !]. 5 Million dollar
bounties to chase ghosts in the closets wasting law inforcement's
valuable and over-worked time, when it can be better spent on
bounties for bugs and repairing of product I have been duped into
buying.
Pathetic !
Six Step IE Remote Compromise Cache Attack
[tested]
OS:WinXp
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30
[Overview]
A six step cache attack has been found which allows for remote
compromise of systems running Internet Explorer merely by viewing
a webpage.
This attack is possible partly because of the bugs in Internet
Explorer which remain unfixed. The oldest of these bugs is
almost two years old.
A little something old. A little something new.
Some Kung Fu.
[demo]
The below demo runs a harmless, demonstration executable on your
system.
http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm
Note: This demo has not been found to work on all systems. This seems
to be primarily because of the wide divergence in the placement of
temp
folders. A more universal exploit is possible, but too time consuming.
[technical details]
a simple game - It goes a little something like this...
Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone
("file-protocol proxy"
*http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-
Content.HTM)
then, in MYCOMPUTER zone:
A. use IFRAME to load MHT file which contains payload EXE, then the
MHT
file is stored in IE cache.
B.1. use file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103} to get %
USERPROFILE%;
(the Pull's: http://www.derkeiler.com/Mailing-
Lists/securityfocus/bugtraq/2002-01/0013.html
)
B.2. use "Redirection and Refresh in Iframe parses local file" to
parse
cache index file:
%USERPROFILE%/Local Settings/Temporay Internet
Files/CONTENT.IE5/INDEX.DAT
( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm)
double slash trick is also needed to make the parsed document
accessible.
( Liu Die Yu's:
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
che-
Content.htm)
C.1. and we get random directory names(like 9OKV91KH), and we get all
possible URLs
of our payload EXE.
C.2. and we check these URLs with "script src":
(Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html)
D. when we get a valid local URL pointing to the payload, launch it
with
CODEBASE plus "double slash"
( Liu Die Yu's:
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
che-
Content.htm)
A little complex. A little simple.
Kung Fu.
[Workaround]
Move your Temporary Internet Files from its' default location:
Tools -> Internet Options -> Temporary Internet Files -> Settings ->
Move Folder
[credit]
Liu Die Yu - exploitation;
Dror Shalev developed ASP part of the code in the demo;
Liu Die Yu wrote the first version of this document;
the Pull improved the quality of this document;
All of the researchers named in "technical details";
Microsoft, for not fixing their bugs;
[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.
[Message]
"My only badge is my conscience. Guns back a badge, but
hellfire backs the conscience." -- Anonymous ;)
-----
all mentioned resources can always be found at UMBRELLA.MX.TC
[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
[Employment]
I would like to work professionally as a security researcher/bug
finder.
See my resume at my site. I am very eager to work, flexible, and
extremely productive. I have a top notch resume, with credentials
from leading bug finders. I am willing to work per contract,
relocate,
or telecommute.
-- http://www.malware.com ---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----
- Previous message: Russ: "MinorRev: Microsoft Security Bulletin MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
