Six Step IE Remote Compromise Cache Attack

 



[tested]

OS:WinXp

Microsoft Internet Explorer v6.Sp1; up-to-date on 2003/10/30



[Overview]



A six step cache attack has been found which allows for remote 

compromise of systems running Internet Explorer merely by viewing 

a webpage.



This attack is possible partly because of the bugs in Internet 

Explorer which remain unfixed. The oldest of these bugs is 

almost two years old. 



A little something old. A little something new. 



Some Kung Fu.





[demo]



The below demo runs a harmless, demonstration executable on your system.

http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm



Note: This demo has not been found to work on all systems. This seems 

to be primarily because of the wide divergence in the placement of temp 

folders. A more universal exploit is possible, but too time consuming.



[technical details]

a simple game - It goes a little something like this... 

 



Liu Die Yu's file-protocol proxy bug to reach MYCOMPUTER zone

("file-protocol proxy" *http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM) 



then, in MYCOMPUTER zone:

A. use IFRAME to load MHT file which contains payload EXE, then the MHT 

file is stored in IE cache.



B.1. use file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103} to get %USERPROFILE%;

(the Pull's: http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-01/0013.html )



B.2. use "Redirection and Refresh in Iframe parses local file" to parse 

cache index file:

%USERPROFILE%/Local Settings/Temporay Internet Files/CONTENT.IE5/INDEX.DAT

( Mindwarper of mlsecurity's: http://www.mlsecurity.com/ie/ie.htm) 

double slash trick is also needed to make the parsed document accessible. 

( Liu Die Yu's: http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCache-Content.htm) 



C.1. and we get random directory names(like 9OKV91KH), and we get all possible URLs of our payload EXE.

C.2. and we check these URLs with "script src":

(Tom Micklovitch's: http://jscript.dk/Jumper/xploit/scriptsrc.html) 



D. when we get a valid local URL pointing to the payload, launch it with 

CODEBASE plus "double slash"

( Liu Die Yu's: http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCache-Content.htm) 



 



A little complex. A little simple. 



Kung Fu.



[Workaround]



Move your Temporary Internet Files from its' default location:

Tools -> Internet Options -> Temporary Internet Files -> Settings -> Move Folder



 



[credit]

Liu Die Yu - exploitation;

Dror Shalev developed ASP part of the code in the demo;

Liu Die Yu wrote the first version of this document;

the Pull improved the quality of this document;

All of the researchers named in "technical details";

Microsoft, for not fixing their bugs;



[Greetings]

greetings to:

Drew Copley, dror, guninski and mkill.



[Message]

"My only badge is my conscience.  Guns back a badge, but 

hellfire backs the conscience." -- Anonymous ;)



-----

all mentioned resources can always be found at UMBRELLA.MX.TC



[people]

LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn

UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"



[Employment]



I would like to work professionally as a security researcher/bug finder. 



See my resume at my site. I am very eager to work, flexible, and 

extremely productive. I have a top notch resume, with credentials 

from leading bug finders. I am willing to work per contract, relocate, 

or telecommute.