BugTraq
Back to list
|
Post reply
Six Step IE Remote Compromise Cache Attack
Nov 05 2003 10:35AM
Liu Die Yu (liudieyuinchina yahoo com cn)
Six Step IE Remote Compromise Cache Attack
[tested]
OS:WinXp
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30
[Overview]
A six step cache attack has been found which allows for remote
compromise of systems running Internet Explorer merely by viewing
a webpage.
This attack is possible partly because of the bugs in Internet
Explorer which remain unfixed. The oldest of these bugs is
almost two years old.
A little something old. A little something new.
Some Kung Fu.
[demo]
The below demo runs a harmless, demonstration executable on your system.
http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm
Note: This demo has not been found to work on all systems. This seems
to be primarily because of the wide divergence in the placement of temp
folders. A more universal exploit is possible, but too time consuming.
[technical details]
a simple game - It goes a little something like this...
Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone
("file-protocol proxy" *http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM)
then, in MYCOMPUTER zone:
A. use IFRAME to load MHT file which contains payload EXE, then the MHT
file is stored in IE cache.
B.1. use file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103} to get %USERPROFILE%;
(the Pull's: http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-01/001
3.html )
B.2. use "Redirection and Refresh in Iframe parses local file" to parse
cache index file:
%USERPROFILE%/Local Settings/Temporay Internet Files/CONTENT.IE5/INDEX.DAT
( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm)
double slash trick is also needed to make the parsed document accessible.
( Liu Die Yu's: http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCach
e-Content.htm)
C.1. and we get random directory names(like 9OKV91KH), and we get all possible URLs of our payload EXE.
C.2. and we check these URLs with "script src":
(Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html)
D. when we get a valid local URL pointing to the payload, launch it with
CODEBASE plus "double slash"
( Liu Die Yu's: http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCach
e-Content.htm)
A little complex. A little simple.
Kung Fu.
[Workaround]
Move your Temporary Internet Files from its' default location:
Tools -> Internet Options -> Temporary Internet Files -> Settings -> Move Folder
[credit]
Liu Die Yu - exploitation;
Dror Shalev developed ASP part of the code in the demo;
Liu Die Yu wrote the first version of this document;
the Pull improved the quality of this document;
All of the researchers named in "technical details";
Microsoft, for not fixing their bugs;
[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.
[Message]
"My only badge is my conscience. Guns back a badge, but
hellfire backs the conscience." -- Anonymous ;)
-----
all mentioned resources can always be found at UMBRELLA.MX.TC
[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
[Employment]
I would like to work professionally as a security researcher/bug finder.
See my resume at my site. I am very eager to work, flexible, and
extremely productive. I have a top notch resume, with credentials
from leading bug finders. I am willing to work per contract, relocate,
or telecommute.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Six Step IE Remote Compromise Cache Attack
[tested]
OS:WinXp
Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30
[Overview]
A six step cache attack has been found which allows for remote
compromise of systems running Internet Explorer merely by viewing
a webpage.
This attack is possible partly because of the bugs in Internet
Explorer which remain unfixed. The oldest of these bugs is
almost two years old.
A little something old. A little something new.
Some Kung Fu.
[demo]
The below demo runs a harmless, demonstration executable on your system.
http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm
Note: This demo has not been found to work on all systems. This seems
to be primarily because of the wide divergence in the placement of temp
folders. A more universal exploit is possible, but too time consuming.
[technical details]
a simple game - It goes a little something like this...
Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone
("file-protocol proxy" *http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM)
then, in MYCOMPUTER zone:
A. use IFRAME to load MHT file which contains payload EXE, then the MHT
file is stored in IE cache.
B.1. use file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103} to get %USERPROFILE%;
(the Pull's: http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-01/001
3.html )
B.2. use "Redirection and Refresh in Iframe parses local file" to parse
cache index file:
%USERPROFILE%/Local Settings/Temporay Internet Files/CONTENT.IE5/INDEX.DAT
( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm)
double slash trick is also needed to make the parsed document accessible.
( Liu Die Yu's: http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCach
e-Content.htm)
C.1. and we get random directory names(like 9OKV91KH), and we get all possible URLs of our payload EXE.
C.2. and we check these URLs with "script src":
(Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html)
D. when we get a valid local URL pointing to the payload, launch it with
CODEBASE plus "double slash"
( Liu Die Yu's: http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCach
e-Content.htm)
A little complex. A little simple.
Kung Fu.
[Workaround]
Move your Temporary Internet Files from its' default location:
Tools -> Internet Options -> Temporary Internet Files -> Settings -> Move Folder
[credit]
Liu Die Yu - exploitation;
Dror Shalev developed ASP part of the code in the demo;
Liu Die Yu wrote the first version of this document;
the Pull improved the quality of this document;
All of the researchers named in "technical details";
Microsoft, for not fixing their bugs;
[Greetings]
greetings to:
Drew Copley, dror, guninski and mkill.
[Message]
"My only badge is my conscience. Guns back a badge, but
hellfire backs the conscience." -- Anonymous ;)
-----
all mentioned resources can always be found at UMBRELLA.MX.TC
[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
[Employment]
I would like to work professionally as a security researcher/bug finder.
See my resume at my site. I am very eager to work, flexible, and
extremely productive. I have a top notch resume, with credentials
from leading bug finders. I am willing to work per contract, relocate,
or telecommute.
[ reply ]