RE: [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[Jelmer <jkuperus () planet nl>]

> Can you proof me wrong?

I'll give it a shot

Before sp1 you could simply load any local file into an iframe, then they
realized well this is a security risk and they removed that ability in sp1
There have been 5 issues found that circumvented this restriction (that I
know of)


1) Thor took a look at a prerelease SP1 and added his 2 cents

http://seclists.org/lists/bugtraq/2002/Sep/0090.html

One of the few times he was actually helpfull
It turned out that using a serverside redirect you could still access local
resources, This is very much like what you are seeing here
Microsoft then proceeded to correct this

2) Another issue popped up, this time by mindwarper

Load a file that does a redirect to a local resource in an iframe, reload
refresh the contents and presto your in, it renders it

3) the shell protocol allows access to local resources like this <iframe
src="shell:profile/bla.htm"> Eiji James Yoshida found this

http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html

4) Arman Nayyeri found that showHelp let you access local chm files

http://www.security-corporation.com/articles-20040103-003.html


5) what I describe in the analysis, it's exactly the same as 1)  with one
distinction it uses an URL: prefix, IE doesn't see an file , ms-its, res etc
protocol so assumes it's ok , and lets it pass  


It's nothing like the refresh issue 2) (since there is no refresh)

Nor is it anything that roozbeh describes, nice it uses scripting this is a
serverside redirct

However no it's not strange that you have this feeling of déjà vu, it's a
variation of Thor's find. Microsoft patched it, overlooked this variation,
the author of this Trojan caught it effectively making it a new thing (tm) 



Note I got this wrong in the analysis and will probably update it
As for Roozbeh Afrasiabi's posts just ignore them... really just do it


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of BoneMachine
Sent: dinsdag 8 juni 2004 15:29
To: huber () post webmailer de; jkuperus () planet nl
Cc: full-disclosure () lists netsys com; peter () diplomatmail net
Subject: Re: [sb] RE: [Full-disclosure] Internet explorer 6 execution of
arbitrary code (An analysis of the 180 Solutions Trojan)

Hi Jelmer, 
I've read your analysis of the trojan of 180  solutions and noticed the
statement that this issue uses two zero day exploits.
I'm trying to monitor and register IE vulnerabilities and have a strong
feeling I've seen the Location header execution before. 
Just to be sure, are you aware that:
- Liu Die Yu discards the local protocol issue as a refresh issue:
http://www.safecenter.net/UMBRELLAWEBV4/IredirNrefresh/IredirNrefresh-MyPage
.htm
- Roozbeh Afrasiabi created a paper about vulnerabilities in IE. One of the
vulnerabilities uses the following statement in the example code :
target.location="ms-its:\\ntshared.chm::/copyright.htm";
The posting to bugtraq can be found at :
http://archives.neohapsis.com/archives/bugtraq/2004-05/0109.html

To me these issues and your URL: issue seem the same and afaik no patches
for these issues had been provided. 

Can you proof me wrong?




vriendelijke groet
Bone Machine



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html