New "Clean" IE Remote Compromise

From: Liu Die Yu (liudieyuinchina_at_yahoo.com.cn)
Date: 11/25/03

  • Next message: Liu Die Yu: "BackToFramedJpu - a successor of BackToJpu attack" 
    Date: 25 Nov 2003 09:48:23 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    [tested]
    OS:Win2k3,CN version
    IE: with MS03-048 installed.

    OS:WinXp, CN version
    Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16

    [overview]
    By combining several vulnerabilities in Internet Explorer, an attacker can execute his EXE file on victim's system.
    ("Clean" means: there is no old published vulnerability involved in this exploit)

    [demo]
    There is a harmless demo:
    http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Demo/index.html
    (runs harmless demonstration executable)

    [technical details]
    First, use MhtRedirParsesLocalFile to parse a local file in an IFRAME,
    (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirParsesLocalFile)
    Then, use BackToFramedJpu to reach MYCOMPUTER zone.
    (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu)
    At last, in MYCOMPUTER security zone, use MhtRedirLaunchInetExe to download the payload EXE file and execute it.
    (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe)

    [Workaround]
    Disable Active Scripting in INTERNET zone.

    [Greetings]
    greetings to:
    Drew Copley, dror, guninski and mkill.

    -----
    all mentioned resources can always be found at UMBRELLA.MX.TC

    [people]
    LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
    UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

    [message]
    A wise man learns from other's mistakes; a fool learns from his own.

    [Employment]
    I would like to work professionally as a security researcher/bug finder.

    See my resume at my site. I am very eager to work, flexible, and
    extremely productive. I have a top notch resume, with credentials
    from leading bug finders. I am willing to work per contract, relocate,
    or telecommute.
     
    [Give a Hand]
    I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at:
    http://clik.to/donatepc

  • Next message: Liu Die Yu: "BackToFramedJpu - a successor of BackToJpu attack"

    Relevant Pages

    • RE: VS 2008 Web Projects will not debug - filename...syntax is inc
      ... I was browsing some other posts on this site that led me to a file called ... I removed the section with Notepad and set IsDefault under Internet Explorer ... Microsoft Online Community Support ...
      (microsoft.public.vsnet.debugging)
    • Re: Cant install IE 6.0 SP1
      ... LPKJA="Japanese Text Display Support" ... LPKJADESC="The Japanese language pack enables Internet Explorer to display ...
      (microsoft.public.windows.inetexplorer.ie6.setup)
    • Re: Grrrrr! Link and graphics problems ...
      ... issues my best guess is that at your home your connection ... On my home computer, on Microsoft Internet Explorer 6, it ... Support on Macs and non IE browsers ... >enough for the site to fully load. ...
      (microsoft.public.publisher.webdesign)
    • RE: owa error
      ... you receive the rich version. ... Internet Explorer 5.0 and later are ... rich browsers, which are sometimes called browsers. ... The reach version does not support these extended feature sets, ...
      (microsoft.public.exchange2000.admin)
    • RE: Replace ActiveX on ASP page with a .NET Windows Forms component
      ... When hosting a Windows Forms component in IE, ... #Configuring Internet Explorer Applications (.NET Framework Developer's ... Microsoft Online Community Support ...
      (microsoft.public.vsnet.general)