UPDATED: the insider exploit( = the latest ie 0day which involves SHOWMODALDIALOG)

From: Liu Die Yu (liudieyu_at_UMBRELLA.NAME)
Date: 01/11/05

  • Next message: Team SHATTER (Application Security, Inc.): "[AppSecInc Team SHATTER Security Advisory] Microsoft Windows Improper Token Validation" 
    Date:         Tue, 11 Jan 2005 02:06:14 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    the insider exploit( = the latest ie 0day involving SHOWMODALDIALOG) was
    verified to work on winxp-en-pro-sp1-ms04004(MS04-004 = Q832894 =
    KB832894), but it does not work on winxp-en-pro-sp1-noextrapatch.

    jelmer's exploit is not perfect: URLs are hardcoded, and JSP is not
    popular. so i made this PHP version for copy-and-play:
    http://0daymon.org/monitor/insider/dir.zip

    =====
    i got it while preparing my collection of applicable IE 0day and related
    original posts:
    http://0daymon.org/monitor/
    that exploit doesn't work without that IE patch - quite weired, right?

    and those phishers and their tech support are not as wise as the media
    describes:
    1. they should have removed their code immediately after
    THE-INSIDER(RAFI from IS) published those URLs. but they still run
    their stuff to tell the whole world: "yes! we are criminals armed with
    0day!"
    2. at that time most of home-user systems( = their targets) were not
    uptodate, which means most of them didn't have MS04-004 required for the
    exploit to successfully compromise themself.

    first i test, then i post :-))) 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Team SHATTER (Application Security, Inc.): "[AppSecInc Team SHATTER Security Advisory] Microsoft Windows Improper Token Validation"