Re: Six Step IE Remote Compromise Cache Attack

[Jelmer <jkuperus () planet nl>]

> This post raises an interesting question. Is our goal to find new
> vulnerabilities and attack vectors to help secure users and critical
> infrastructures, or is our goal to ease exploitation of existing
> vulnerabilities?

Interesting viewpoint from someone who willfully published code that caused
a worm to spread (and infact admitted to that he expected no less) and I
quote http://www.pcworld.com/news/article/0,aid,84324,00.asp

"The worm is a modified version of our example code. We never intended for
anybody to copy the code, although we kind of expected it would happen,"
said Thor Larholm, one of the two Europeans who demonstrated how specially
crafted code on a Web page could take over MSN Messenger. "We published the
example to put pressure on Microsoft to patch vulnerabilities that they are
fully aware of."


> There are no new vulnerabilities or techniques highlighted in this
> attack (which is what it is),
> just a combination of several already
> known vulnerabilities. This is not a proof-of-concept designed to
> highlight how a particular vulnerability works,

Untrue , normally content accessed in the temporary internet files folder is
in the restricted zone
Liu pointed out that this can be bypassed. this is the new and crucial
ingredient in the mix
without it, one would not be able to exploit this in this fashion

> but an exploit designed
> specifically to compromise your machine. All a malicious viruswriter has
> to do is exchange the EXE file.

> Believe me, I am all in for full disclosure and detailing every aspect
> of a vulnerability to prevent future occurances of similar threats, but
> I don't particularly think that we should actively be trying to help
> malicious persons.

There are many reasons imaginable why you want to do this

- It proofs the relevance of liu's cache exploit
- There are workarounds for some issues, many might not bother applying them
because they dismiss it as not being important enough to bother
- One vulnerability used in this is *OVER 2 YEARS OLD* microsoft bloody well
needs to wake up and smell the coffee, putting some pressure on them is just
what is needed
- If liu can do it theres a big chance that somewhere someone can do the
same, you could get hacked without knowing about it, I prefer to know whats
out there so I can take countermeasures
- He obviously takes great pride in his work, you can see he worked long and
hard at it, six steps thats quite a feat, working past every obstactle
there's a lot of stuff going on that researchers can look at and learn from
- It may give him the media attention to land a job much, which he seems to
be seeking, it's a proven concept, you did get your job over at pivx after
publishing the wormcode

-----Original Message-----
From: Liu Die Yu [mailto:liudieyuinchina () yahoo com cn]
Sent: Wednesday, November 05, 2003 2:35 AM
To: bugtraq () securityfocus com
Subject: Six Step IE Remote Compromise Cache Attack

Snip
http://www.securityfocus.com/archive/1/343464/2003-11-02/2003-11-08/0