[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] IE exploit going around on irc

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] IE exploit going around on irc
From: "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx>
Date: Tue, 6 Apr 2004 21:56:57 -0000


<!-- 

I thought you were already aware of the text/x-scriptlet
object variation of Ibiza which was exploited in the wild before 
Ibiza
was even discussed on Bugtraq

 -->

Really? I be most interested in seeing a reference to that.  The 
time-line I have is:

1. On Wednesday, February 11, 2004 3:21 AM someone sent me a 
link to  www.ibiza-victoria.com  which was riddled with images 
and iframes pointing to the chm file. At the time nothing 
happened when viewing it as it used the object code base in the 
chm to trigger which was patched on XP, as a result no further 
examination took place.

2. Liu Die's fake mhtml redirect was published on December 2003 
along with minor mentions of similar fake file tricks prior to 
that.

3. On Sat Mar 27 2004 - 13:17:45 CST the "new worm?" thread was 
posted on bugtraq. At the time I took Internet Explorer to the 
address and port mentioned in the post and actually infected my 
self. Closer examination revealed the exact same technique as 
ibiza that is with iframes and images used to render, draw to 
the cache and refresh in order to activate it.

4. Trying to reproduce on my server failed and at that time I 
placed it in an object with type="text/x-scriplet" without the 
need for refresh or images to cache the file or iframes to 
render it. Hence my notation with the demo of a more robust 
method.

5. Punching in <object data="ms-its:mhtml: to google which is 
the core of this, reveals nothing prior to April. That is object 
with type="text/x-scriptlet and referencing a non-exsistent 
mthml file inside a chm to redirect to the local file.

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%
3Cobject+data%3D%22ms-its%3Amhtml%3A&btnG=Search

Therefore when and when exactly was this same technique used 
prior to ibiza being posted on bugtraq.

This is not about semantics but accuracy in security which 
without it, leads to insecurity or no security at all.


-- 
http://www.malware.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] IE exploit going around on irc
Next by Date: Re: [Full-Disclosure] IE exploit going around on irc
Previous by thread: Re: [Full-Disclosure] IE exploit going around on irc
Next by thread: Re: [Full-Disclosure] IE exploit going around on irc
Index(es):
- Date
- Thread