I can confirm the below on a brand spanking new, 3 week old, top-of- the-line machine with Windows XP Home edition, customised, with every conceivable patch, security pack, gadget enabled updating twaddle it comes with and installed to date. I demand a refund from the vendor ! This is a disgrace. 2 year old remnant bugs and holes unattended culminating in this full and complete remote takeover via a web page [again !]. 5 Million dollar bounties to chase ghosts in the closets wasting law inforcement's valuable and over-worked time, when it can be better spent on bounties for bugs and repairing of product I have been duped into buying. Pathetic ! "Liu Die Yu" <liudieyuinchina@yahoo.com.cn> wrote: Six Step IE Remote Compromise Cache Attack [tested] OS:WinXp Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30 [Overview] A six step cache attack has been found which allows for remote compromise of systems running Internet Explorer merely by viewing a webpage. This attack is possible partly because of the bugs in Internet Explorer which remain unfixed. The oldest of these bugs is almost two years old. A little something old. A little something new. Some Kung Fu. [demo] The below demo runs a harmless, demonstration executable on your system. http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm Note: This demo has not been found to work on all systems. This seems to be primarily because of the wide divergence in the placement of temp folders. A more universal exploit is possible, but too time consuming. [technical details] a simple game - It goes a little something like this... Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone ("file-protocol proxy" *http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU- Content.HTM) then, in MYCOMPUTER zone: A. use IFRAME to load MHT file which contains payload EXE, then the MHT file is stored in IE cache. B.1. use file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103} to get % USERPROFILE%; (the Pull's: http://www.derkeiler.com/Mailing- Lists/securityfocus/bugtraq/2002-01/0013.html ) B.2. use "Redirection and Refresh in Iframe parses local file" to parse cache index file: %USERPROFILE%/Local Settings/Temporay Internet Files/CONTENT.IE5/INDEX.DAT ( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm) double slash trick is also needed to make the parsed document accessible. ( Liu Die Yu's: http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa che- Content.htm) C.1. and we get random directory names(like 9OKV91KH), and we get all possible URLs of our payload EXE. C.2. and we check these URLs with "script src": (Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html) D. when we get a valid local URL pointing to the payload, launch it with CODEBASE plus "double slash" ( Liu Die Yu's: http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCa che- Content.htm) A little complex. A little simple. Kung Fu. [Workaround] Move your Temporary Internet Files from its' default location: Tools -> Internet Options -> Temporary Internet Files -> Settings -> Move Folder [credit] Liu Die Yu - exploitation; Dror Shalev developed ASP part of the code in the demo; Liu Die Yu wrote the first version of this document; the Pull improved the quality of this document; All of the researchers named in "technical details"; Microsoft, for not fixing their bugs; [Greetings] greetings to: Drew Copley, dror, guninski and mkill. [Message] "My only badge is my conscience. Guns back a badge, but hellfire backs the conscience." -- Anonymous ;) ----- all mentioned resources can always be found at UMBRELLA.MX.TC [people] LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn UMBRELLA.MX.TC ==> How to contact "Liu Die Yu" [Employment] I would like to work professionally as a security researcher/bug finder. See my resume at my site. I am very eager to work, flexible, and extremely productive. I have a top notch resume, with credentials from leading bug finders. I am willing to work per contract, relocate, or telecommute. -- http://www.malware.com
