Full Disclosure: [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

[sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

From: "Chris Carlson" <chris () compucounts com>
Date: Tue, 8 Jun 2004 07:45:29 +0200

When run remotely:

Line: 1
Char: 1
Error: Access is denied.
Code: 0
URL: http://62.131.86.111/security/idiots/repro/installer.htm

When run locally, software installation is blocked. 

Using IE 6.0.2900.2096 SP2, WinXP SP2

I've gotta say that SP2 has some VERY nice protection builtin.  On the downside, I still havn't figured out how to turn 
it off ;)

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Jelmer
Sent: Sunday, June 06, 2004 21:22
To: bugtraq () securityfocus com
Cc: full-disclosure () lists netsys com; peter () diplomatmail net
Subject: [Full-disclosure] Internet explorer 6 execution of 
arbitrary code (An analysis of the 180 Solutions Trojan)

Just when I though it was save to once more use internet 
explorer I received an email bringing my attention to this 
webpage http://216.130.188.219/ei2/installer.htm   that 
according to him used an exploit that affected fully patched 
internet explorer 6 browsers. Being rather skeptical I 
carelessly clicked on the link only to witness how it 
automatically installed addware on my pc!!!
 
Now there had been reports about 0day exploits making rounds 
for quite some time like for instance this post
 
http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 
 
However I hadn't seen any evidence to support this up until 
now Thor Larholm as usual added to the confusion by 
deliberately spreading disinformation as seen in this post
 
http://seclists.org/lists/bugtraq/2004/May/0153.html
 
Attributing it to and I quote "just one of the remaining IE 
vulnerabilities that are not yet patched"

I've attempted to write up an analysis that will show that 
there are at least 2 new and AFAIK unpublished 
vulnerabilities (feel free to proof me
wrong) out there in the wild, one being fairly sophisticated 

You can view it at:

http://62.131.86.111/analysis.htm

Additionally you can view a harmless demonstration of the 
vulnerabilities at

http://62.131.86.111/security/idiots/repro/installer.htm

Finally I also attached the source files to this message


-- 
 Sie haben den Sicherheitsboten abonniert.
 http://sicherheitsbote.net




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

[sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Chris Carlson (Jun 07)
- <Possible follow-ups>
- Re: [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) BoneMachine (Jun 08)
  - RE: [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Jelmer (Jun 08)
- [sb] RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Drew Copley (Jun 10)