RE: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[Jelmer <jkuperus () planet nl>]

> > Just when I though it was save to once more use internet explorer I
received
> > an email bringing my attention to this webpage
> > http://216.130.188.219/ei2/installer.htm   that according to him used an
> > exploit that affected fully patched internet explorer 6 browsers. Being
> > rather skeptical I carelessly clicked on the link only to witness how it
> > automatically installed addware on my pc!!!


> So, you just clicked on the link which was reported as unsafe, did you? :)

Yes I did, I am not saying that it was a bright thing to do, but this was on
my home pc I really didn't have much to loose I use it to play games read
email, browse the web do some coding, 
Addware I can handle, it's usually pretty easy to remove once you know how
it works 

> Those protocol handlers always seem to cause problems and it's not just 
> on Windows, Apple has had just as many problems in dealing with these 
> for OS X. 

Agreed they are a persistent pain in the ass

If it's not a lack of input validation then it is a lack of 
> zone restrictions, perhaps the entire concept of higher privileged zones 
> of any kind should be abandoned.

> Are these really new vulnerabilities or just variants of old? The 
> "Location: URL:" proxy really just looks like the "Location: File:" 
> proxy that Liu Die Yu reported

Yes it's a lot like the file proxy
But surely you won't argue protocol proxying itself is vulnerability, it's a
feature, the vulnerability was that Microsoft engineers forgot to take it
into account in *that particular instance*, 

Liu die yu found out that you could inject javascript code in the search
pane res file using file:

These folks found out that you can use url:ms-its to do a redirect to a
local file

Surely this is a different thing! , If someone found a bufferoverflow
somewhere and the next year someone found another one in an entirely
different segment of code, you'd argue that it's the same thing??
Well they both used strcopy insecurely blah bla.. c'mon

> and the object caching stuff really just 
> looks like a variation of the advisories from GreyMagic back in 2002 
> with the showModalDialog caching and javascript: injection. Other than 
> those 2,

No its waaaaaaay more sophisticated than the method caching stuff I've
looked at it some more and there seems to be some really wacky stuff going
on. I suspect they had a look at the leaked IE source, I'll probably have to
update the analysis a bit if I can figure it what the hell it is they're
doing 

And again each and every one of the method caching vulnerabilities liu and
greymagic found where separate flaws, a separate oversight by Microsoft
engineers

> the only real vulnerability on the page is the Ibiza chm stuff 
> which still works on plenty of fully patched machines.

and what would that be?? 
Ibiza brought only a single new thing to the table and this is nothing like
it for the rest it build on old vulnerabilies, infact it was a variation of
one of my exploits , surely you knew that didn't you?
 

> > Now there had been reports about 0day exploits making rounds for quite
some
> > time like for instance this post
> >  
> > http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 

> Why is this a 0-day? Are you trying to start a holy war here? Please 
> explain why this is a 0-day if you make such claims.


It uses 2 new vulnerabilities that where

- not reported on any security list (afaik)
- first encountered in the wild
 
I won't argue semantics here but that's the reason why I chose to slap that
label on it


> > However I hadn't seen any evidence to support this up until now
> > Thor Larholm as usual added to the confusion by deliberately spreading
> > disinformation as seen in this post
> >  
> > http://seclists.org/lists/bugtraq/2004/May/0153.html

> Thor? Spreading disinformation?

Yes but only when he isn't blatantly lying
(http://archives.neohapsis.com/archives/fulldisclosure/2004-04/0261.html)

> > Attributing it to and I quote "just one of the remaining IE
vulnerabilities
> > that are not yet patched"

> That sounds about right.

Like I said these are 2 new issues, at best they are the same class of
vulnerabilities we have seen previously but they are not variations!


> > I've attempted to write up an analysis that will show that there are at
> > least 2 new and AFAIK unpublished vulnerabilities (feel free to proof me
> > wrong) out there in the wild, one being fairly sophisticated 

> I, personally, appreciate any serious research work, but why put down a 
> colleague while you're at it?

> > You can view it at:
> >
> > http://62.131.86.111/analysis.htm
> >
> > Additionally you can view a harmless demonstration of the vulnerabilities
at
> > http://62.131.86.111/security/idiots/repro/installer.htm
> >
> > Finally I also attached the source files to this message

> If this really was a 0-day, isn't that a tad irresponsible?

So we are back to the full disclosure, limited disclosure, no disclosure
etc.. debate again, how trite

> As to Thor...

> You are claiming that he is deliberately spreading disinformation, but 
> then you proceed to verify his claims.


Verify??  These issue's weren't reported before they are new, thor is full
of crap and my post proofed it, it's unfortunate that you fail to comprehend
this perhaps you lack the expertise in this particular niche of security
research to tell the difference


> Are you sure you don't just have a personal vendetta against him?

No it's nothing personal it's just my general way of treating dishonest
individuals, there I many many reasons why I dislike pivx, but I don't think
this is the appropriate forum to vent them

> I don't see what's wrong with him pitching his product (Quik-Fix (?)) 
> when reporting his research. That's how the industry work.

> You do research and advertise the company that did it, and what solution 
> it offers.
> Working for free doesn't put food on the table and he has a product that 
> might actually protects against such issues. What's next, you will 
> complain about AV companies who say they detect a virus or security 
> researchers that get paid to work instead of living off the street 
> credit from the security mailing lists? Maybe you just don't like 
> companies of any kind.


Ok what you have to understand is that Qwik fix is a collection of 5
registry patches nothing more, nothing less.. (run regmon, filemon while
running it and verify this) I can accomplish the same task by clicking on a
.reg file

They slapped a nice frontend on it some corporate branding, made it
available for free, pivx has some exposure, the user has a saver pc,
everybody wins, and that's all ok with me so far

But ask yourself how seriously can you take a company that names 5 registry
patches their flagship product??

Now they are trying to cash in on it by providing a pro version of the
product. They wrote a freaking 16 page whitepaper explaining the business
benefits of 5 registry patches!!!

http://www.net-security.org/dl/articles/Qwik-Fix_Pro_WhitePaper.pdf

I had this argument with someone before who asked me the same thing, he
asked me why do you dislike pivx so much, 

doesn't their product work?
Well I had to admit that it did

Well isn't it worth the money then?
Well again I had to say, this can save your company a lot of $$ 

So you dislike them so much?

I finally got thru to him with the following analogy

What if someone offered to sell you a bottle of water for $400 would you buy
it?
Well hell no he replied.
To which I replied doesn't it relief your thirst then?
Doesn't it come with all sorts of minerals and stuff and keeps you alive?

It are just 5 registry patches, they are charging money for 5 registry
patches!!!, Much like selling water at $400 the bottle it is not illegal,
but anyone would agree that such a person would be a conman, and conmen pivx
are!

Their product is closed source so it makes it difficult to know what it
does, they make the progress bar move really really slow when applying these
fixes so it looks as if there is some heavy wizardry going on etc etc..

I dislike conmen they rub off badly to the rest of the people who have real
products to sell and put a lot of work in them (for clarity I am not a
competitor to me it's all fun and games) but surely you can sympathize with
this?


> As to the research itself...
>
> Thor went through the hnc3k.com website and listed all the pages and 
> vulnerabilities on it, which sounds like an exhaustive task to me. 

Sure he put in a lot of work, but came up empty!
*ALL* of the stuff he listed where old exploits long rendered useless by
Microsoft patched, yet he managed to reach  some miraculous conclusion

The evidence did not match the conclusion, I encourage you to click on any
of the links he provided in that post with a fully IE6 on winxp, there's a
20 euro bill with your name on it if you get infected by anything but the
common cold.

 
> But didn't you do the same and when analyzing the 180 solutions Trojan 
> pages? It sounds pretty exhaustive as well.

> The difference is that Thor also told you how to protect against this, 
> by locking down the My Computer zone. I can't see anywhere that Thor was 
> referring to the object caching vulnerability you are listing as new. In 
> my mind, he was referring to the old Unpatched page that he used to 
> maintain and that would mean he said some of those are still not patched.

> I miss that page. It was very good.

Yes interesting that that more or les coincided with the Microsoft logo
popping up on their client list http://www.pivx.com/clients.html
Oh and liu maintains a similar list now, you might want to check it out
though it's updated as frequently as I'd like, maybe I'll start my own who
knows

> We know that Ibiza still works

Talk is cheap and words are plenty where's the proof of that?? , this is
entirely different, the only thing they share is my adodb.stream code so you
can't be referring to my post as proof that "Ibiza" still works

So can you show me the code for an Ibiza variation that still works?


> and that there are still problems with 
> the SSL certificate handling in IE, don't you think he was just 
> referring to those? From this side it really just looks as if you are 
> trying to deal a low blow against Mr. Larholm because you have some 
> personal grudge against him.
> I hope I provided you with information to re-think your claims. Also, 
> please try and keep your grudges to yourself where 50K plus busy people 
> need to sift through vital information?

I probably saved you and these 50K others work by doing this write-up, for
free I may add. And I'll bloody well write whatever I like in it, if you
come half way and realize the signal to noise ratio is too high for you,
stop reading! I am not forcing you to read it.

I am not adding these remarks to be nasty or offend mr Larholm personally, I
do think a lot of the stunts they pull are unethical and I'll do everything
in my power to expose them


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html