Full Disclosure mailing list archives
RE: Internet explorer 6 on windows XP allows exection of arbitrary code
From: "Drew Copley" <dcopley () eeye com>
Date: Fri, 12 Sep 2003 15:46:27 -0700
-----Original Message----- From: Thor Larholm thor () pivx com Sent: Thu, 11 Sep 2003 16:02:11 -0700 Subject: [Full-disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code
The new addition here is abusing how you are able to load a ressource file, residing in a local security zone, into a window object. Service Pack 1 for IE6 did a lot to deter this on most regular window objects, but should have extended that effort to searchpanes as well. Seeing as the content of a search pane can be any registered COM extension to IE, perhaps more should be done to completely separate these from the reach of ordinary scripting. Combining the mediabar ressource loading with the file-protocol proxy demonstrates just how effectively one can combine several vulnerabilities to achieve a higher level of automation in planting and executing files. The media bar ressource loading, and any other ressource loading technique, can be combined with any other cross-domain scripting vulnerability to achieve the same result. We will definitely see more combinatorial vulnerabilities in the time to come.
As Jelmer noted, these have been around. Http-Equiv's latest zero day this past week was as pure of a combination as you can get... As he noted. [Interesting Note: Not long after this he added the greymagic version of the variant of my object tag bug... People have apparently forgotten that even Dave Ahmad - Bugtraq moderator Unix security guy - had the first variant on that bug. So, there is another variant apparently no one else knows about until now. Whoop dee doo. ] [I am just glad people didn't call my 'object data bug', " the wrongly called object data bug" because a variant was found. Uggh. I look up that old object tag bug used in this latest zero day... everywhere they have it called "the wrongly called popup bug".] [I should have called the bug the "fried green tomato bug". I can call an advisory whatever I want... and I always expect there to be more variants or issues involved in it.] [Lastly, with this latest "object type bug", it is often confused with the "object data bug". This is due recompense. Entirely different bugs. Very few people apparently realize this. One is a buffer overflow, one is input validation bug. Very big difference.] ... One thing can be difficult in these regards, though, is needing to use two different bugs to have one final output. This can be difficult to release if the vendor wishes to release the two bugs in different fixes. But, I only recall these types of issues being released without concern for the vendor's time to fix. With all of the open bugs that have just been made... There are probably many, many variants. Some of these may be combinations. There are probably expansions to some of these bugs. Maybe some are more serious then originally thought. There is definitely some very interesting stuff in these. Very clever attacks. The days of buffer overflows are getting shorter and shorter... But bugs that mean remote compromise are here to stay for a very long time.
Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities ----- Original Message ----- From: "jelmer" <jkuperus () planet nl> To: <bugtraq () securityfocus com> Cc: <full-disclosure () lists netsys com> Sent: Thursday, September 11, 2003 3:31 PM Subject: [Full-disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code
Internet explorer 6 on windows XP allows exection of arbitrary code DESCRIPTION : Yesterday Liu Die Yu released a number series of advisories concerning internet explorer by combining on of these issues with an earlier issue I myself reported a while back You can construct a specially crafted webpage that can take any action on
a
users system including but not limited to, installing trojans, keyloggers, wiping the users harddrive etc.
<snip http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 11)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Kristian Hermansen (Sep 11)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Thor Larholm (Sep 11)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Dj MegaWorld (Sep 12)
- <Possible follow-ups>
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code http-equiv () excite com (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Drew Copley (Sep 12)