RE: Re: Six Step IE Remote Compromise Cache Attack

["Michael Evanchik" <mike () alanpickel com>]

I would first like to commend microsoft on patching the exploit very quickly.

Second I would like to like to say I totally give up on internet explorer an have moved on to Mozilla firebird.  Thank 
you open source!

And now ,for those of you who do not know, here is what Liu Die Yu does not show you in his zip file.

1) take out the function name and brackets and all code below </script> in default.htm and save to make the start 
automatic
2) open MHT-ldy.mht and open it in notepad.
3) edit the 2 links for the .exe and the shell.htm (read step 4 on how that file is created) file 4o be the exact 
location of your exe and shell.htm on the server your hosting the pages(most likely you will need full access to the 
server and freehosts wont work)
5) change the base64 exe code to your own in MHT-ldy.mht and save
6) save it as shell.htm to the same location you have noted in MHT-ldy.mht
7) of course delete all the alert command lines in ScriptBodyJsp.asp

Mike
www.high-pow-er.com




-----Original Message-----
From:           http-equiv () excite com [mailto:1 () malware com]
Sent:           Wed 11/5/2003 11:36 AM
To:             full-disclosure () lists netsys com
Subject:        [Full-Disclosure] Re: Six Step IE Remote Compromise Cache Attack
 


I can confirm the below on a brand spanking new, 3 week old, top-of-
the-line machine with Windows XP Home edition, customised, with every 
conceivable patch, security pack, gadget enabled updating twaddle it 
comes with and installed to date.

I demand a refund from the vendor ! This is a disgrace. 2 year old 
remnant bugs and holes unattended culminating in this full and 
complete remote takeover via a web page [again !]. 5 Million dollar 
bounties to chase ghosts in the closets wasting law inforcement's 
valuable and over-worked time, when it can be better spent on 
bounties for bugs and repairing of product I have been duped into 
buying.

Pathetic !

Liu Die Yu wrote:

Six Step IE Remote Compromise Cache Attack
 

[tested]
OS:WinXp
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30

[Overview]

A six step cache attack has been found which allows for remote 
compromise of systems running Internet Explorer merely by viewing 
a webpage.

This attack is possible partly because of the bugs in Internet 
Explorer which remain unfixed. The oldest of these bugs is 
almost two years old. 

A little something old. A little something new. 

Some Kung Fu.


[demo]

The below demo runs a harmless, demonstration executable on your 
system.
http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm

Note: This demo has not been found to work on all systems. This seems 
to be primarily because of the wide divergence in the placement of 
temp 
folders. A more universal exploit is possible, but too time consuming.

[technical details]
a simple game - It goes a little something like this... 
 

Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone
("file-protocol proxy" 
*http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-
Content.HTM) 

then, in MYCOMPUTER zone:
A. use IFRAME to load MHT file which contains payload EXE, then the 
MHT 
file is stored in IE cache.

B.1. use file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103} to get %
USERPROFILE%;
(the Pull's: http://www.derkeiler.com/Mailing-
Lists/securityfocus/bugtraq/2002-01/0013.html
)

B.2. use "Redirection and Refresh in Iframe parses local file" to 
parse 
cache index file:
%USERPROFILE%/Local Settings/Temporay Internet 
Files/CONTENT.IE5/INDEX.DAT
( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm) 
double slash trick is also needed to make the parsed document 
accessible. 
( Liu Die Yu's: 
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
che-
Content.htm) 

C.1. and we get random directory names(like 9OKV91KH), and we get all 
possible URLs
of our payload EXE.
C.2. and we check these URLs with "script src":
(Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html) 

D. when we get a valid local URL pointing to the payload, launch it 
with 
CODEBASE plus "double slash"
( Liu Die Yu's: 
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
che-
Content.htm) 

 

A little complex. A little simple. 

Kung Fu.

[Workaround]

Move your Temporary Internet Files from its' default location:
Tools -> Internet Options -> Temporary Internet Files -> Settings -> 
Move Folder

 

[credit]
Liu Die Yu - exploitation;
Dror Shalev developed ASP part of the code in the demo;
Liu Die Yu wrote the first version of this document;
the Pull improved the quality of this document;
All of the researchers named in "technical details";
Microsoft, for not fixing their bugs;

[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.

[Message]
"My only badge is my conscience.  Guns back a badge, but 
hellfire backs the conscience." -- Anonymous ;)

-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[Employment]

I would like to work professionally as a security researcher/bug 
finder. 

See my resume at my site. I am very eager to work, flexible, and 
extremely productive. I have a top notch resume, with credentials 
from leading bug finders. I am willing to work per contract, 
relocate, 
or telecommute. 
 


-- 
http://www.malware.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html