If at first you don't succeed; call it version 1.0
Monday, October 15, 2007

Sometimes it is nice to see old vulnerabilities come back from the dead.

This time I'm referring to a vulnerability in Internet Explorer that was discovered almost 3 years ago by cyber_flash. The vulnerability allows an attacker to bypass the security download warning dialog, and display a regular save file dialog, by manipulating IE into displaying executable file (a file with .exe extension) as a regular html file.

While this vulnerability was partially patched by Microsoft in IE7, it was still remained unpactched in IE6 SP2.

Few days ago, this vulnerability came back to life when laurent gaffi posted in Bugtraq that it is possible to download and open an executable file in an application associated to a different extension, using a very similar specially crafted URL that was used in cyber_flash's proof-of-concept.

I've been able to use this old vulnerability to automate an attack vector that was found by pdp from GNUCitizen. In his proof-of-concept, pdp exploits a vulnerability by opening a manually downloaded PDF file in Adobe Reader. When I tried to open the PoC file inside IE7 it didn't exploit the vulnerability. This is probably because the Adobe Reader ActiveX control is running in a different way, in terms of security, than the external application. Therefore, I used the old IE vulnerability in order to automatically download and open the PoC PDF file in the external Adobe Reader application. The exploit then executed the Windows calculator.

The following is a video which demonstrates the difference between opening the proof-of-concept PDF file in the browser (embedded) and in the external application.

You can also download this video (better quality) from here.


Monday, October 15, 2007 9:16:50 PM UTC | Comments [1] | Security#
Sunday, October 14, 2007

Finally, AOL have released the new version (v6.5) of AIM.

I've tested this version against the critical vulnerability I've found. While it does fix the specific attack vector of the vulnerability, it still does not utilize the Local Zone lockdown. This means that if someone will found another way to inject a script to a message, it will still be possible to execute arbitrary code from remote.

I've decided to postpone the release of my proof-of-concept, at least until AOL will fix their client properly. This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm.

Unfortunately, there are no release notes to indicate that there was a security fix in the new version.

You can find more info about the vulnerability at Core's advisory and Ryan's security blog.

 


Sunday, October 14, 2007 4:04:32 PM UTC | Comments [0] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.