HijackClickV2 - a successor of HijackClick attack

From: Liu Die Yu (liudieyuinchina_at_yahoo.com.cn)
Date: 11/25/03

  • Next message: Liu Die Yu: "MHTML Redirection Leads to Downloading EXE and Executing" 
    Date: 25 Nov 2003 10:00:23 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    HijackClickV2 - a successor of HijackClick attack

    [tested]
    OS:Win2k3,CN version
    IE: with MS03-048 installed.

    OS:WinXp, CN version
    Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16

    [overview]
    After applying MS03-048, the original HijackClick exploit doesn't work any more.
    With method caching(a.k.a "SaveRef"), HijackClick works again.

    [demo]
    There is a harmless demo:
    http://www.safecenter.net/UMBRELLAWEBV4/HijackClickV2/HijackClickV2-MyPage.htm

    [technical details]
    After applying MS03-048, the original HijackClick exploit doesn't work any more.
    (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/HijackClick/HijackClick-MyPage.HTM

    Because window.moveBy is inaccessible. Method caching attack can make window.moveBy accessible again.

    [Workaround]
    Disable Active Scripting in INTERNET zone.

    [Greetings]
    greetings to:
    Drew Copley, dror, guninski and mkill.

    -----
    all mentioned resources can always be found at UMBRELLA.MX.TC

    [people]
    LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
    UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

    [message]
    A wise man learns from other's mistakes; a fool learns from his own.

    [Employment]
    I would like to work professionally as a security researcher/bug finder.

    See my resume at my site. I am very eager to work, flexible, and
    extremely productive. I have a top notch resume, with credentials
    from leading bug finders. I am willing to work per contract, relocate,
    or telecommute.
     
    [Give a Hand]
    I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at:
    http://clik.to/donatepc

  • Next message: Liu Die Yu: "MHTML Redirection Leads to Downloading EXE and Executing"