Full Disclosure mailing list archives
[sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)
From: "Chris Carlson" <chris () compucounts com>
Date: Tue, 8 Jun 2004 07:45:29 +0200
When run remotely: Line: 1 Char: 1 Error: Access is denied. Code: 0 URL: http://62.131.86.111/security/idiots/repro/installer.htm When run locally, software installation is blocked. Using IE 6.0.2900.2096 SP2, WinXP SP2 I've gotta say that SP2 has some VERY nice protection builtin. On the downside, I still havn't figured out how to turn it off ;)
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Jelmer Sent: Sunday, June 06, 2004 21:22 To: bugtraq () securityfocus com Cc: full-disclosure () lists netsys com; peter () diplomatmail net Subject: [Full-disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Just when I though it was save to once more use internet explorer I received an email bringing my attention to this webpage http://216.130.188.219/ei2/installer.htm that according to him used an exploit that affected fully patched internet explorer 6 browsers. Being rather skeptical I carelessly clicked on the link only to witness how it automatically installed addware on my pc!!! Now there had been reports about 0day exploits making rounds for quite some time like for instance this post http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 However I hadn't seen any evidence to support this up until now Thor Larholm as usual added to the confusion by deliberately spreading disinformation as seen in this post http://seclists.org/lists/bugtraq/2004/May/0153.html Attributing it to and I quote "just one of the remaining IE vulnerabilities that are not yet patched" I've attempted to write up an analysis that will show that there are at least 2 new and AFAIK unpublished vulnerabilities (feel free to proof me wrong) out there in the wild, one being fairly sophisticated You can view it at: http://62.131.86.111/analysis.htm Additionally you can view a harmless demonstration of the vulnerabilities at http://62.131.86.111/security/idiots/repro/installer.htm Finally I also attached the source files to this message
-- Sie haben den Sicherheitsboten abonniert. http://sicherheitsbote.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Chris Carlson (Jun 07)
- <Possible follow-ups>
- Re: [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) BoneMachine (Jun 08)
- [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Drew Copley (Jun 10)