Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code
From: jelmer <jkuperus () planet nl>
Date: Fri, 12 Sep 2003 11:25:25 +0200


----- Original Message ----- 
From: "Thor Larholm" <thor () pivx com>
To: "jelmer" <jkuperus () planet nl>; <bugtraq () securityfocus com>
Cc: <full-disclosure () lists netsys com>
Sent: Friday, September 12, 2003 1:02 AM
Subject: Re: [Full-Disclosure] Internet explorer 6 on windows XP allows
exection of arbitrary code


The new addition here is abusing how you are able to load a ressource
file,
residing in a  local security zone, into a window object. Service Pack 1
for IE6
did a lot to deter this on most regular window objects, but should have
extended
that effort to searchpanes as well. Seeing as the content of a search pane
can
be any registered COM extension to IE, perhaps more should be done to
completely
separate these from the reach of ordinary scripting.

Agreed, I noticed they did put some effort into fixing these issues
eg. the greymagic issue with the malformed xml file for instance only
allowed  xss'ing a a site containinging this file.
before sp1 one would have been able to script in the res:// page. wich would
have much more severe consequences concidering that
IE's zoning system is just so horribly and utterly broken.  So they did well
on this , the problem just is that microsoft keeps having these
little oversights, special cases they forget about such as the res pages in
the mediabar or also recently forgetting to patch the dynamic version of the
object tag.
It's generally a tell tale sign of bad software design


Combining the mediabar ressource loading with the file-protocol proxy
demonstrates just how effectively one can combine several vulnerabilities
to
achieve a higher level of automation in planting and executing files. The
media
bar ressource loading, and any other ressource loading technique, can be
combined with any other cross-domain scripting vulnerability to achieve
the same
result.

We will definitely see more combinatorial vulnerabilities in the time to
come.

Combining vulnerabilies is nothing new people always have and always will.
HTTP-EQUIV seems especially well versed in this kind of stuff, remember for
instance my mhtml/codebase trick and his mediaplayer issue wich also lead to
code execution.
IE is rather heavily researched so at any given time you will have quite a
number of unpatched vulnerabilties, as you are probably more aware of than
anybody, considering http://pivx.com/larholm/unpatched/ is your site :)
For non buffer overflow  code execution generally a number of conditions has
to be met. in this case it where 3

- find way of executing code
- find something to inject the exploit code in
- find something that will allow us to inject exploit code into stuff not
under our control

seperatly none of these is perticularly dangerous but combined their full
power is unleeched
But it's a lot to ask from a single researcher to ask to come up with 3
issues (unless your name is Liu Die Yu  offcourse :) then you can easily
come up with 10 hehe) I got to 2 liu provided 3





Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities


----- Original Message ----- 
From: "jelmer" <jkuperus () planet nl>
To: <bugtraq () securityfocus com>
Cc: <full-disclosure () lists netsys com>
Sent: Thursday, September 11, 2003 3:31 PM
Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows
exection of
arbitrary code


Internet explorer 6 on windows XP allows exection of arbitrary code

DESCRIPTION :

Yesterday Liu Die Yu released a number series of advisories concerning
internet explorer
by combining on of these issues with an earlier issue I myself reported
a
while back
You can construct a specially crafted webpage that can take any action
on a
users system
including but not limited to, installing trojans, keyloggers, wiping the
users harddrive etc.
<snip

http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault