Re: Six Step IE Remote Compromise Cache Attack

http-equiv_at_excite.com
Date: 11/05/03

  • Next message: http-equiv_at_excite.com: "POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III"
    Date:         Wed, 5 Nov 2003 16:32:04 -0000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    I can confirm the below on a brand spanking new, 3 week old, top-of-
    the-line machine with Windows XP Home edition, customised, with every
    conceivable patch, security pack, gadget enabled updating twaddle it
    comes with and installed to date.

    I demand a refund from the vendor ! This is a disgrace. 2 year old
    remnant bugs and holes unattended culminating in this full and
    complete remote takeover via a web page [again !]. 5 Million dollar
    bounties to chase ghosts in the closets wasting law inforcement's
    valuable and over-worked time, when it can be better spent on
    bounties for bugs and repairing of product I have been duped into
    buying.

    Pathetic !

    Six Step IE Remote Compromise Cache Attack

    [tested]
    OS:WinXp
    Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30

    [Overview]

    A six step cache attack has been found which allows for remote
    compromise of systems running Internet Explorer merely by viewing
    a webpage.

    This attack is possible partly because of the bugs in Internet
    Explorer which remain unfixed. The oldest of these bugs is
    almost two years old.

    A little something old. A little something new.

    Some Kung Fu.

    [demo]

    The below demo runs a harmless, demonstration executable on your
    system.
    http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm

    Note: This demo has not been found to work on all systems. This seems
    to be primarily because of the wide divergence in the placement of
    temp
    folders. A more universal exploit is possible, but too time consuming.

    [technical details]
    a simple game - It goes a little something like this...

    Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone
    ("file-protocol proxy"
    *http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-
    Content.HTM)

    then, in MYCOMPUTER zone:
    A. use IFRAME to load MHT file which contains payload EXE, then the
    MHT
    file is stored in IE cache.

    B.1. use file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103} to get %
    USERPROFILE%;
    (the Pull's: http://www.derkeiler.com/Mailing-
    Lists/securityfocus/bugtraq/2002-01/0013.html
    )

    B.2. use "Redirection and Refresh in Iframe parses local file" to
    parse
    cache index file:
    %USERPROFILE%/Local Settings/Temporay Internet
    Files/CONTENT.IE5/INDEX.DAT
    ( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm)
    double slash trick is also needed to make the parsed document
    accessible.
    ( Liu Die Yu's:
    http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
    che-
    Content.htm)

    C.1. and we get random directory names(like 9OKV91KH), and we get all
    possible URLs
    of our payload EXE.
    C.2. and we check these URLs with "script src":
    (Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html)

    D. when we get a valid local URL pointing to the payload, launch it
    with
    CODEBASE plus "double slash"
    ( Liu Die Yu's:
    http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
    che-
    Content.htm)

    A little complex. A little simple.

    Kung Fu.

    [Workaround]

    Move your Temporary Internet Files from its' default location:
    Tools -> Internet Options -> Temporary Internet Files -> Settings ->
    Move Folder

    [credit]
    Liu Die Yu - exploitation;
    Dror Shalev developed ASP part of the code in the demo;
    Liu Die Yu wrote the first version of this document;
    the Pull improved the quality of this document;
    All of the researchers named in "technical details";
    Microsoft, for not fixing their bugs;

    [Greetings]
    greetings to:
    Drew Copley, dror, guninski and mkill.

    [Message]
    "My only badge is my conscience. Guns back a badge, but
    hellfire backs the conscience." -- Anonymous ;)

    -----
    all mentioned resources can always be found at UMBRELLA.MX.TC

    [people]
    LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
    UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

    [Employment]

    I would like to work professionally as a security researcher/bug
    finder.

    See my resume at my site. I am very eager to work, flexible, and
    extremely productive. I have a top notch resume, with credentials
    from leading bug finders. I am willing to work per contract,
    relocate,
    or telecommute.

    --
    http://www.malware.com
    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: http-equiv_at_excite.com: "POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III"

    Relevant Pages