|
|
BugTraq
new internet explorer exploit (was new worm) Mar 29 2004 02:35PM Jelmer (jkuperus planet nl) (2 replies) Re: new internet explorer exploit (was new worm) Mar 29 2004 07:15PM Void (void sect net) (2 replies) Re: new internet explorer exploit (was new worm) Mar 30 2004 10:46AM Nick FitzGerald (nick virus-l demon co uk) |
|
Privacy Statement |
if I change the url in my exploit.htm from
ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm
to
ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm
It gives no warning whatsoever, proofing once again that you shouldn't
solely rely on virus scanners, though others might do a better job, I can't
imagine anyone doing it worse
----- Original Message -----
From: "Void" <void (at) sect (dot) net [email concealed]>
To: "Jelmer" <jkuperus (at) planet (dot) nl [email concealed]>; <full-disclosure (at) lists.netsys (dot) com [email concealed]>;
<bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Monday, March 29, 2004 9:15 PM
Subject: Re: new internet explorer exploit (was new worm)
> Just wanted to add that Norton Anti-Virus 2004 will detect this exploit
and
> pop up a warning, but also fails to halt its execution or protect the user
> in any way.
>
> Here is what it thinks it is:
>
>
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.explo
it.6.html
>
> So there is some measure of warning, but no real protection.
>
>
> At 04:35 PM 3/29/2004 +0200, Jelmer wrote:
> >The code used by this worm to exploit it's users at least partly is (i
> >think) new , the vulnerability it abused has afaik not been published on
> >eighter bugtraq or full-disclosure. possibly making it (one of?) the
first
> >worm to totally catch people offguard.
> >
> >It allows a mallicious person to take any action on an unsuspecting user
who
> >view's a specially prepared page's pc
> >
> >The known ingredient it uses is :
> >http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/1758.htm
l
> >that has gone unpatched for over 5 months now
> >
> >The remainder of the exploit manages to confuse this same adodb.stream
> >object enough to make it think it's being run from a local location
> >
> >You can protect yourself against it by running
> >http://ip3e83566f.speed.planet.nl/hacked-by-chinese/fix.reg
> >
> >
> >I attached sample code myself to illustrate the problem, because
> >http-equiv's was messy :)
> >This one should be more straightforward to use
> >
> >Instructions :
> >
> >1. unzip
> >2. overwrite exploit.exe with the executable you wish to run, or leave it
> >untoched if you want to see some nice texturemapped rotation
> >3. upload the files to a webserver
> >4. view exploit.htm
> >
> >Tested on winxp pro all patches
> >
> >for the lazy ones among you can also view a demonstration here :
> >
> >http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm
>
>
[ reply ]