Full Disclosure mailing list archives

RE: Internet explorer 6 on windows XP allows exection of arbitrary code

From: "Drew Copley" <dcopley () eeye com>
Date: Fri, 12 Sep 2003 15:46:27 -0700

-----Original Message-----
From:  Thor Larholm thor () pivx com 
Sent: Thu, 11 Sep 2003 16:02:11 -0700 
Subject: [Full-disclosure] Internet explorer 6 on windows XP 
allows exection of arbitrary code


The new addition here is abusing how you are able to load a 
ressource file, residing in a  local security zone, into a 
window object. Service Pack 1 for IE6 did a lot to deter this 
on most regular window objects, but should have extended that 
effort to searchpanes as well. Seeing as the content of a 
search pane can be any registered COM extension to IE, 
perhaps more should be done to completely separate these from 
the reach of ordinary scripting.

Combining the mediabar ressource loading with the 
file-protocol proxy demonstrates just how effectively one can 
combine several vulnerabilities to achieve a higher level of 
automation in planting and executing files. The media bar 
ressource loading, and any other ressource loading technique, 
can be combined with any other cross-domain scripting 
vulnerability to achieve the same result.

We will definitely see more combinatorial vulnerabilities in 
the time to come.


As Jelmer noted, these have been around. Http-Equiv's latest zero day this
past week was as pure of a combination as you can get... As he noted.

[Interesting Note: Not long after this he added the greymagic version of the
variant of my object tag bug... People have apparently forgotten that even
Dave Ahmad - Bugtraq moderator Unix security guy - had the first variant on
that bug. So, there is another variant apparently no one else knows about
until now. Whoop dee doo. ]

[I am just glad people didn't call my 'object data bug', " the wrongly
called object data bug" because a variant was found. Uggh. I look up that
old object tag bug used in this latest zero day... everywhere they have it
called "the wrongly called popup bug".]

[I should have called the bug the "fried green tomato bug". I can call an
advisory whatever I want... and I always expect there to be more variants or
issues involved in it.]

[Lastly, with this latest "object type bug", it is often confused with the
"object data bug". This is due recompense. Entirely different bugs. Very few
people apparently realize this. One is a buffer overflow, one is input
validation bug. Very big difference.]

...

One thing can be difficult in these regards, though, is needing to use two
different bugs to have one final output. This can be difficult to release if
the vendor wishes to release the two bugs in different fixes. But, I only
recall these types of issues being released without concern for the vendor's
time to fix.

With all of the open bugs that have just been made... There are probably
many, many variants. Some of these may be combinations. There are probably
expansions to some of these bugs. Maybe some are more serious then
originally thought. 

There is definitely some very interesting stuff in these. Very clever
attacks. The days of buffer overflows are getting shorter and shorter... But
bugs that mean remote compromise are here to stay for a very long time.



Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities


----- Original Message ----- 
From: "jelmer" <jkuperus () planet nl>
To: <bugtraq () securityfocus com>
Cc: <full-disclosure () lists netsys com>
Sent: Thursday, September 11, 2003 3:31 PM
Subject: [Full-disclosure] Internet explorer 6 on windows XP allows exection
of arbitrary code

Internet explorer 6 on windows XP allows exection of arbitrary code

DESCRIPTION :

Yesterday Liu Die Yu released a number series of advisories concerning 
internet explorer by combining on of these issues with an earlier 
issue I myself reported a while back
You can construct a specially crafted webpage that can take any action on

users system
including but not limited to, installing trojans, keyloggers, wiping 
the users harddrive etc.

<snip
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 11)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Kristian Hermansen (Sep 11)
  - Re: Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 12)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Thor Larholm (Sep 11)
  - Re: Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Dj MegaWorld (Sep 12)
- <Possible follow-ups>
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code http-equiv () excite com (Sep 12)
  - RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Drew Copley (Sep 12)