<<< Date Index >>>     <<< Thread Index >>>

Re: Six Step IE Remote Compromise Cache Attack




I can confirm the below on a brand spanking new, 3 week old, top-of-
the-line machine with Windows XP Home edition, customised, with every 
conceivable patch, security pack, gadget enabled updating twaddle it 
comes with and installed to date.

I demand a refund from the vendor ! This is a disgrace. 2 year old 
remnant bugs and holes unattended culminating in this full and 
complete remote takeover via a web page [again !]. 5 Million dollar 
bounties to chase ghosts in the closets wasting law inforcement's 
valuable and over-worked time, when it can be better spent on 
bounties for bugs and repairing of product I have been duped into 
buying.

Pathetic !

"Liu Die Yu" <liudieyuinchina@xxxxxxxxxxxx> wrote:

Six Step IE Remote Compromise Cache Attack
 

[tested]
OS:WinXp
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30

[Overview]

A six step cache attack has been found which allows for remote 
compromise of systems running Internet Explorer merely by viewing 
a webpage.

This attack is possible partly because of the bugs in Internet 
Explorer which remain unfixed. The oldest of these bugs is 
almost two years old. 

A little something old. A little something new. 

Some Kung Fu.


[demo]

The below demo runs a harmless, demonstration executable on your 
system.
http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm

Note: This demo has not been found to work on all systems. This seems 
to be primarily because of the wide divergence in the placement of 
temp 
folders. A more universal exploit is possible, but too time consuming.

[technical details]
a simple game - It goes a little something like this... 
 

Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone
("file-protocol proxy" 
*http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-
Content.HTM) 

then, in MYCOMPUTER zone:
A. use IFRAME to load MHT file which contains payload EXE, then the 
MHT 
file is stored in IE cache.

B.1. use file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103} to get %
USERPROFILE%;
(the Pull's: http://www.derkeiler.com/Mailing-
Lists/securityfocus/bugtraq/2002-01/0013.html
)

B.2. use "Redirection and Refresh in Iframe parses local file" to 
parse 
cache index file:
%USERPROFILE%/Local Settings/Temporay Internet 
Files/CONTENT.IE5/INDEX.DAT
( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm) 
double slash trick is also needed to make the parsed document 
accessible. 
( Liu Die Yu's: 
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
che-
Content.htm) 

C.1. and we get random directory names(like 9OKV91KH), and we get all 
possible URLs
of our payload EXE.
C.2. and we check these URLs with "script src":
(Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html) 

D. when we get a valid local URL pointing to the payload, launch it 
with 
CODEBASE plus "double slash"
( Liu Die Yu's: 
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa
che-
Content.htm) 

 

A little complex. A little simple. 

Kung Fu.

[Workaround]

Move your Temporary Internet Files from its' default location:
Tools -> Internet Options -> Temporary Internet Files -> Settings -> 
Move Folder

 

[credit]
Liu Die Yu - exploitation;
Dror Shalev developed ASP part of the code in the demo;
Liu Die Yu wrote the first version of this document;
the Pull improved the quality of this document;
All of the researchers named in "technical details";
Microsoft, for not fixing their bugs;

[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.

[Message]
"My only badge is my conscience.  Guns back a badge, but 
hellfire backs the conscience." -- Anonymous ;)

-----
all mentioned resources can always be found at UMBRELLA.MX.TC

[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"

[Employment]

I would like to work professionally as a security researcher/bug 
finder. 

See my resume at my site. I am very eager to work, flexible, and 
extremely productive. I have a top notch resume, with credentials 
from leading bug finders. I am willing to work per contract, 
relocate, 
or telecommute. 
 


-- 
http://www.malware.com