Full Disclosure mailing list archives
RE: [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)
From: Jelmer <jkuperus () planet nl>
Date: Tue, 08 Jun 2004 18:44:32 +0200
Can you proof me wrong?
I'll give it a shot Before sp1 you could simply load any local file into an iframe, then they realized well this is a security risk and they removed that ability in sp1 There have been 5 issues found that circumvented this restriction (that I know of) 1) Thor took a look at a prerelease SP1 and added his 2 cents http://seclists.org/lists/bugtraq/2002/Sep/0090.html One of the few times he was actually helpfull It turned out that using a serverside redirect you could still access local resources, This is very much like what you are seeing here Microsoft then proceeded to correct this 2) Another issue popped up, this time by mindwarper Load a file that does a redirect to a local resource in an iframe, reload refresh the contents and presto your in, it renders it 3) the shell protocol allows access to local resources like this <iframe src="shell:profile/bla.htm"> Eiji James Yoshida found this http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html 4) Arman Nayyeri found that showHelp let you access local chm files http://www.security-corporation.com/articles-20040103-003.html 5) what I describe in the analysis, it's exactly the same as 1) with one distinction it uses an URL: prefix, IE doesn't see an file , ms-its, res etc protocol so assumes it's ok , and lets it pass It's nothing like the refresh issue 2) (since there is no refresh) Nor is it anything that roozbeh describes, nice it uses scripting this is a serverside redirct However no it's not strange that you have this feeling of déjà vu, it's a variation of Thor's find. Microsoft patched it, overlooked this variation, the author of this Trojan caught it effectively making it a new thing (tm) Note I got this wrong in the analysis and will probably update it As for Roozbeh Afrasiabi's posts just ignore them... really just do it -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of BoneMachine Sent: dinsdag 8 juni 2004 15:29 To: huber () post webmailer de; jkuperus () planet nl Cc: full-disclosure () lists netsys com; peter () diplomatmail net Subject: Re: [sb] RE: [Full-disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Hi Jelmer, I've read your analysis of the trojan of 180 solutions and noticed the statement that this issue uses two zero day exploits. I'm trying to monitor and register IE vulnerabilities and have a strong feeling I've seen the Location header execution before. Just to be sure, are you aware that: - Liu Die Yu discards the local protocol issue as a refresh issue: http://www.safecenter.net/UMBRELLAWEBV4/IredirNrefresh/IredirNrefresh-MyPage .htm - Roozbeh Afrasiabi created a paper about vulnerabilities in IE. One of the vulnerabilities uses the following statement in the example code : target.location="ms-its:\\ntshared.chm::/copyright.htm"; The posting to bugtraq can be found at : http://archives.neohapsis.com/archives/bugtraq/2004-05/0109.html To me these issues and your URL: issue seem the same and afaik no patches for these issues had been provided. Can you proof me wrong? vriendelijke groet Bone Machine _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Chris Carlson (Jun 07)
- <Possible follow-ups>
- Re: [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) BoneMachine (Jun 08)
- RE: [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Jelmer (Jun 08)
- [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Drew Copley (Jun 10)