RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

["Drew Copley" <dcopley () eEye com>]

> -----Original Message-----
> From: Gadi Evron [mailto:ge () linuxbox org] 
> Sent: Monday, June 07, 2004 1:47 PM
> To: Jelmer
> Cc: bugtraq () securityfocus com; 
> full-disclosure () lists netsys com; peter () diplomatmail net
> Subject: Re: Internet explorer 6 execution of arbitrary code 
> (An analysis of the 180 Solutions Trojan)
>
> Comments inline.
>
> Jelmer wrote:
>
> > Just when I though it was save to once more use internet 
> explorer I received
> > an email bringing my attention to this webpage
> > http://216.130.188.219/ei2/installer.htm   that according 
> to him used an
> > exploit that affected fully patched internet explorer 6 
> browsers. Being
> > rather skeptical I carelessly clicked on the link only to 
> witness how it
> > automatically installed addware on my pc!!!
>
> So, you just clicked on the link which was reported as 
> unsafe, did you? :)
>
> Those protocol handlers always seem to cause problems and 
> it's not just 
> on Windows, Apple has had just as many problems in dealing with these 
> for OS X. If it's not a lack of input validation then it is a lack of 
> zone restrictions, perhaps the entire concept of higher 
> privileged zones 
> of any kind should be abandoned.
>
> Are these really new vulnerabilities or just variants of old? The 
> "Location: URL:" proxy really just looks like the "Location: File:" 
> proxy that Liu Die Yu reported and the object caching stuff 
> really just 
> looks like a variation of the advisories from GreyMagic back in 2002 
> with the showModalDialog caching and javascript: injection. 
> Other than 
> those 2, the only real vulnerability on the page is the Ibiza 
> chm stuff 
> which still works on plenty of fully patched machines.

<snip>

This is an undisclosed vulnerability which was genuinely found
in the wild. 

It may utilize some known techniques. It may have some remote 
resemblance to previous vulnerabilities, you mention one of 
Liu Die Yu's old bugs... but most newly posted vulnerabilities
are somehow derivations of older bugs -- by far and wide. I can
not think of a new class of bug found in quite sometime.

"Nothing is new under the sun". Good, old saying.

You mentioned below something about "starting an Holy War" because
of this debate -- apparently, some researchers disagreed with each
other on whether or not this was new. However, it was new, it
is new, and the issue needs to get patched -- any political or
"religious" dispute aside.

So, recap. 

A spyware distributor for a major spyware firm has
somehow gotten a hold of some genuine zero day -- not an easy
task. They have used this and are using this to make a lot of
money from it. 

Spyware distributor's get cash for every system they trojanize -- 
much as "click through" banner systems operate. They can make
a lot of money doing this. They probably are not cognizant of
the fact that this kind of unauthorized access on a mass scale
is an extraordinary crime prosecutable in any country. If they
were, they would just use this to do credit card scams -- much
more payback, just a little bit more illegal.








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html