----- Original Message ----- From: "Thor Larholm" <thor@pivx.com> To: "jelmer" <jkuperus@planet.nl>; <bugtraq@securityfocus.com> Cc: <full-disclosure@lists.netsys.com> Sent: Friday, September 12, 2003 1:02 AM Subject: Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code > The new addition here is abusing how you are able to load a ressource file, > residing in a local security zone, into a window object. Service Pack 1 for IE6 > did a lot to deter this on most regular window objects, but should have extended > that effort to searchpanes as well. Seeing as the content of a search pane can > be any registered COM extension to IE, perhaps more should be done to completely > separate these from the reach of ordinary scripting. Agreed, I noticed they did put some effort into fixing these issues eg. the greymagic issue with the malformed xml file for instance only allowed xss'ing a a site containinging this file. before sp1 one would have been able to script in the res:// page. wich would have much more severe consequences concidering that IE's zoning system is just so horribly and utterly broken. So they did well on this , the problem just is that microsoft keeps having these little oversights, special cases they forget about such as the res pages in the mediabar or also recently forgetting to patch the dynamic version of the object tag. It's generally a tell tale sign of bad software design > Combining the mediabar ressource loading with the file-protocol proxy > demonstrates just how effectively one can combine several vulnerabilities to > achieve a higher level of automation in planting and executing files. The media > bar ressource loading, and any other ressource loading technique, can be > combined with any other cross-domain scripting vulnerability to achieve the same > result. > > We will definitely see more combinatorial vulnerabilities in the time to come. Combining vulnerabilies is nothing new people always have and always will. HTTP-EQUIV seems especially well versed in this kind of stuff, remember for instance my mhtml/codebase trick and his mediaplayer issue wich also lead to code execution. IE is rather heavily researched so at any given time you will have quite a number of unpatched vulnerabilties, as you are probably more aware of than anybody, considering http://pivx.com/larholm/unpatched/ is your site :) For non buffer overflow code execution generally a number of conditions has to be met. in this case it where 3 - find way of executing code - find something to inject the exploit code in - find something that will allow us to inject exploit code into stuff not under our control seperatly none of these is perticularly dangerous but combined their full power is unleeched But it's a lot to ask from a single researcher to ask to come up with 3 issues (unless your name is Liu Die Yu offcourse :) then you can easily come up with 10 hehe) I got to 2 liu provided 3 > > > Regards > Thor Larholm > PivX Solutions, LLC - Senior Security Researcher > http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities > > > ----- Original Message ----- > From: "jelmer" <jkuperus@planet.nl> > To: <bugtraq@securityfocus.com> > Cc: <full-disclosure@lists.netsys.com> > Sent: Thursday, September 11, 2003 3:31 PM > Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of > arbitrary code > > > > Internet explorer 6 on windows XP allows exection of arbitrary code > > > > DESCRIPTION : > > > > Yesterday Liu Die Yu released a number series of advisories concerning > > internet explorer > > by combining on of these issues with an earlier issue I myself reported a > > while back > > You can construct a specially crafted webpage that can take any action on a > > users system > > including but not limited to, installing trojans, keyloggers, wiping the > > users harddrive etc. > <snip > http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
