Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

From: Jelmer <jkuperus () planet nl>
Date: Mon, 07 Jun 2004 04:17:28 +0200
I haven't installed SP2 yet since I heard a lot of complaints from people
who claimed it caused instability, it had memory management issues, some
drivers didn't work, security measures a bit too much in your face etc

But I reviewed the list of changes sometime back and I concur, it looks very
promising, I think in the near future an IE exploit will be a rare
occurrence as opposed to a bi weekly event

-----Original Message-----
From: Chris Carlson [mailto:chris () compucounts com] 
Sent: maandag 7 juni 2004 4:06
To: Jelmer
Cc: full-disclosure () lists netsys com; bugtraq () securityfocus com
Subject: RE: [Full-disclosure] Internet explorer 6 execution of arbitrary
code (An analysis of the 180 Solutions Trojan)

When run remotely:

Line: 1
Char: 1
Error: Access is denied.
Code: 0
URL: http://62.131.86.111/security/idiots/repro/installer.htm

When run locally, software installation is blocked. 

Using IE 6.0.2900.2096 SP2, WinXP SP2

I've gotta say that SP2 has some VERY nice protection builtin.  On the
downside, I still havn't figured out how to turn it off ;)


-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Jelmer
Sent: Sunday, June 06, 2004 21:22
To: bugtraq () securityfocus com
Cc: full-disclosure () lists netsys com; peter () diplomatmail net
Subject: [Full-disclosure] Internet explorer 6 execution of 
arbitrary code (An analysis of the 180 Solutions Trojan)

Just when I though it was save to once more use internet 
explorer I received an email bringing my attention to this 
webpage http://216.130.188.219/ei2/installer.htm   that 
according to him used an exploit that affected fully patched 
internet explorer 6 browsers. Being rather skeptical I 
carelessly clicked on the link only to witness how it 
automatically installed addware on my pc!!!
 
Now there had been reports about 0day exploits making rounds 
for quite some time like for instance this post
 
http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 
 
However I hadn't seen any evidence to support this up until 
now Thor Larholm as usual added to the confusion by 
deliberately spreading disinformation as seen in this post
 
http://seclists.org/lists/bugtraq/2004/May/0153.html
 
Attributing it to and I quote "just one of the remaining IE 
vulnerabilities that are not yet patched"

I've attempted to write up an analysis that will show that 
there are at least 2 new and AFAIK unpublished 
vulnerabilities (feel free to proof me
wrong) out there in the wild, one being fairly sophisticated 

You can view it at:

http://62.131.86.111/analysis.htm

Additionally you can view a harmless demonstration of the 
vulnerabilities at

http://62.131.86.111/security/idiots/repro/installer.htm

Finally I also attached the source files to this message





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: