Full Disclosure mailing list archives
Re: IE exploit going around on irc
From: "http-equiv () excite com" <1 () malware com>
Date: Tue, 6 Apr 2004 21:56:57 -0000
<!-- I thought you were already aware of the text/x-scriptlet object variation of Ibiza which was exploited in the wild before Ibiza was even discussed on Bugtraq --> Really? I be most interested in seeing a reference to that. The time-line I have is: 1. On Wednesday, February 11, 2004 3:21 AM someone sent me a link to www.ibiza-victoria.com which was riddled with images and iframes pointing to the chm file. At the time nothing happened when viewing it as it used the object code base in the chm to trigger which was patched on XP, as a result no further examination took place. 2. Liu Die's fake mhtml redirect was published on December 2003 along with minor mentions of similar fake file tricks prior to that. 3. On Sat Mar 27 2004 - 13:17:45 CST the "new worm?" thread was posted on bugtraq. At the time I took Internet Explorer to the address and port mentioned in the post and actually infected my self. Closer examination revealed the exact same technique as ibiza that is with iframes and images used to render, draw to the cache and refresh in order to activate it. 4. Trying to reproduce on my server failed and at that time I placed it in an object with type="text/x-scriplet" without the need for refresh or images to cache the file or iframes to render it. Hence my notation with the demo of a more robust method. 5. Punching in <object data="ms-its:mhtml: to google which is the core of this, reveals nothing prior to April. That is object with type="text/x-scriptlet and referencing a non-exsistent mthml file inside a chm to redirect to the local file. http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=% 3Cobject+data%3D%22ms-its%3Amhtml%3A&btnG=Search Therefore when and when exactly was this same technique used prior to ibiza being posted on bugtraq. This is not about semantics but accuracy in security which without it, leads to insecurity or no security at all. -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- IE exploit going around on irc Niek Baakman (Apr 05)
- Re: IE exploit going around on irc François Harvey (Apr 05)
- Re: IE exploit going around on irc David Jacoby (Apr 06)
- <Possible follow-ups>
- Re: IE exploit going around on irc http-equiv () excite com (Apr 05)
- IE exploit going around on irc Feher Tamas (Apr 06)
- RE: IE exploit going around on irc Thor Larholm (Apr 06)
- Re: IE exploit going around on irc Jelmer (Apr 06)
- Re: IE exploit going around on irc http-equiv () excite com (Apr 06)
- RE: IE exploit going around on irc Thor Larholm (Apr 06)
- Re: IE exploit going around on irc Jelmer (Apr 06)
- Re: IE exploit going around on irc Lise Moorveld (Apr 07)