Full Disclosure mailing list archives
Re: IE exploit runs code from graphics?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 25 Jun 2004 13:43:54 +1200
"Larry Seltzer" <larry () larryseltzer com> wrote:
From http://www.eweek.com/article2/0,,1617045,00.asp: "Analysts at NetSec Inc., a managed security services provider, began seeing indications of the compromises early Thursday morning and have since seen a large number of identical attacks on their customers' networks. The attack uses a novel vector: embedded code hidden in graphics on Web pages... NetSec officials said the attack seems to exploit a vulnerability in Internet Explorer."
Without having access to any of the information as to what web pages NetSec thinks is involved, but having seen many recent posts about the so-called "RFI - Russian IIS Hacks" I'd suggest that both reports are referring to one and the same, or at least, very closely related, things. Common exploits of the ms-its: (etc) protocol download compiled help files (.CHM) from some web site, causing the HTML code inside the .CHM to be run in the "My Computer" security zone. Typically (like all but one of _dozens and dozens_ of these I've seen) the "inner" HTML run from the .CHM then uses a lightly modified form of one of the common ADODB.Stream PoC exploits to download yet another file, save it as a .EXE and run it. Sometimes the file the ADODB exploit code pulls down will be named with a .GIF or .JPG extension (it can be _any_ extension the attacker likes as the ADODB.Stream vuln allows the attacker to specifiy the target filename and path on the new victim machine _in full_). That is hardly the same thing as "embedded code hidden in graphics on Web pages", but I can easily imagine a naïve journalist getting confused over such technical issues or a company representative hankering for some media exposure over-selling the seriousness or novelty of what they "discovered"... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: SV: New malware to infect IIS and from there jump to clients, (continued)
- Re: SV: New malware to infect IIS and from there jump to clients Nasir Ghaznavi (Jun 25)
- Re: New malware to infect IIS and from there jump to clients Gary Flynn (Jun 25)
- RE: New malware to infect IIS and from there jump to clients joe (Jun 25)
- Re: New malware to infect IIS and from there jump to clients insecure (Jun 25)
- Re: New malware to infect IIS and from there jump to clients Matt Power (Jun 27)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 25)
- IE exploit runs code from graphics? Larry Seltzer (Jun 24)
- RE: IE exploit runs code from graphics? Heather M. Guse Bryan (Jun 24)
- Re: IE exploit runs code from graphics? Nick FitzGerald (Jun 24)
- RE: IE exploit runs code from graphics? Larry Seltzer (Jun 24)
- Re: IE exploit runs code from graphics? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 26)
- Re: IE exploit runs code from graphics? Jimmy Mitchener (Jun 26)
- Re: IE exploit runs code from graphics? st3ng4h (Jun 26)
- Re: IE exploit runs code from graphics? Valdis . Kletnieks (Jun 28)