| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lise_moorveld at hotmail.com (Lise Moorveld) Subject: IE exploit going around on irc Hello, What I find interesting is that SecurityFocus links the "IE ms-its: and mk:@MSITStore: vulnerability" paper by Roozbeh Afrasiabi ( http://www.securityfocus.com/archive/1/358913 ) to the "Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658)" posting by K-otic ( http://www.securityfocus.com/archive/1/354447 ). They do this in BID 9658 ( http://www.securityfocus.com/bid/9658 ). I think SecurityFocus got this wrong... The issue referred to by K-otic is the exploit where you use a non-existant mht file and an exclamation mark like so: ms-its:mhtml:file://c:\yada.mhtml!http://www.example.com/compiledhelpfile.chm:/htmlfile.html also described in Cert advisory VU#323070 ( http://www.kb.cert.org/vuls/id/323070 ) and CVE ID: CAN-2004-0380 ... Roozbeh Afrasiabi doesn't use this construction anywhere in his paper... what he DOES use, however (amongst others), is the directory-traversal style thingy: mk:@MSITStore:iexplore.chm::..\\..\\..\\..\\program files\\winamp\\skins\\x.wsz::\winamp.htm Now, I don't claim to fully grasp the Roozbeh paper either, but he does make a reference to Arman Nayyeri, and what I think is the following post: "IE 5.x-6.0 allows executing arbitrary programs using showHelp()" ( http://archives.neohapsis.com/archives/bugtraq/2003-12/0337.html ) Oh, and Nayyeri claims Jelmer helped him with this, so Jelmer might be able to shed some light :) To return to this thread, the original posting by Niek Baakman mentions the exclamation mark issue http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1726.html And in a reply, Thor refers to the directory traversal-style issue (or at least the Roozbeh paper): http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1785.html Anyway, do you guys think I'm right in thinking these are seperate issues? Bye, Lise _________________________________________________________________ Limited-time offer: Fast, reliable MSN 9 Dial-up Internet access FREE for 2 months! http://join.msn.com/?page=dept/dialup&pgmarket=en-us&ST=1/go/onm00200361ave/direct/01/
Powered by blists - more mailing lists