Full Disclosure mailing list archives
RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)
From: "Chris Carlson" <chris () compucounts com>
Date: Sun, 6 Jun 2004 22:06:01 -0400
When run remotely: Line: 1 Char: 1 Error: Access is denied. Code: 0 URL: http://62.131.86.111/security/idiots/repro/installer.htm When run locally, software installation is blocked. Using IE 6.0.2900.2096 SP2, WinXP SP2 I've gotta say that SP2 has some VERY nice protection builtin. On the downside, I still havn't figured out how to turn it off ;)
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Jelmer Sent: Sunday, June 06, 2004 21:22 To: bugtraq () securityfocus com Cc: full-disclosure () lists netsys com; peter () diplomatmail net Subject: [Full-disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Just when I though it was save to once more use internet explorer I received an email bringing my attention to this webpage http://216.130.188.219/ei2/installer.htm that according to him used an exploit that affected fully patched internet explorer 6 browsers. Being rather skeptical I carelessly clicked on the link only to witness how it automatically installed addware on my pc!!! Now there had been reports about 0day exploits making rounds for quite some time like for instance this post http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 However I hadn't seen any evidence to support this up until now Thor Larholm as usual added to the confusion by deliberately spreading disinformation as seen in this post http://seclists.org/lists/bugtraq/2004/May/0153.html Attributing it to and I quote "just one of the remaining IE vulnerabilities that are not yet patched" I've attempted to write up an analysis that will show that there are at least 2 new and AFAIK unpublished vulnerabilities (feel free to proof me wrong) out there in the wild, one being fairly sophisticated You can view it at: http://62.131.86.111/analysis.htm Additionally you can view a harmless demonstration of the vulnerabilities at http://62.131.86.111/security/idiots/repro/installer.htm Finally I also attached the source files to this message
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan), (continued)
- RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Larry Seltzer (Jun 06)
- Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Gadi Evron (Jun 07)
- [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Larry Seltzer (Jun 07)
- Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Gadi Evron (Jun 07)
- RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Chris Carlson (Jun 06)
- Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) http-equiv () excite com (Jun 07)
- Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Gadi Evron (Jun 07)
- Re: Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) http-equiv () excite com (Jun 08)
- Re: Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Gadi Evron (Jun 08)
- Re: Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Benjamin Meade (Jun 09)
- Re: Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Gadi Evron (Jun 09)
- Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Gadi Evron (Jun 07)