[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FCAD9F541A8E8A44881527A6792F892C33C2AB@owa.eeye.com>
Date: Wed, 14 Jul 2004 12:30:55 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "Ferruh Mavituna" <ferruh@...ituna.com>,
"L33tPrincess" <l33tprincess@...oo.com>, <bugtraq@...urityfocus.com>,
<full-disclosure@...ts.netsys.com>
Subject: RE: [Full-Disclosure] Re: IE Shell URI Download and Execute, POC
> -----Original Message-----
> From: Ferruh Mavituna [mailto:ferruh@...ituna.com]
> Sent: Wednesday, July 14, 2004 7:52 AM
> To: 'L33tPrincess'; bugtraq@...urityfocus.com;
> full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Re: IE Shell URI Download and
> Execute, POC
>
> > Is the vulnerability mitigated by
> > today's Microsoft patch?
>
> Both of POCs are working well (at least in my system -W2K3
> all patches-)
> after recent MS patches.
>
> Can anyone confirm this ?
I can not. Wscript was deactivated with Guninski's WSH bug
a long time ago. I just tested running wscript in the My
Computer zone. It prompts as an unsafe activex.
However, Microsoft needs to get on the ball here and secure
that zone or make it trivial for their customers to do so. (Kudos
for their link on their security page, but that kind of
thing is targetted to IT professionals -- not to the masses...
and they can figure that out by themselves already.)
I also noticed the shell: path url does work as a source in
an iframe.
>
>
> Ferruh.Mavituna
> http://ferruh.mavituna.com
> PGPKey : http://ferruh.mavituna.com/PGPKey.asc
>
> > -----Original Message-----
> > From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-
> > admin@...ts.netsys.com] On Behalf Of L33tPrincess
> > Sent: Wednesday, July 14, 2004 5:34 AM
> > To: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] Re: IE Shell URI Download and
> Execute, POC
> >
> > Ferruh,
> > Is this a new variant (wscript.shell)? Is the
> vulnerability mitigated by
> > today's Microsoft patch?
> >
> >
> >
> > Hello;
> >
> > Code is based on
> http://www.securityfocus.com/archive/1/367878 (POC by
> > Jelmer) message. I just added a new feature "download" and
> then execute
> > application. Also I use Wscript.Shell in Javascript instead of
> > Shell.Application.
> >
> > ________________________________
> >
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail
> >
> <http://us.rd.yahoo.com/mail_us/taglines/100/*http://promotion
> s.yahoo.com/
> > new_mail/static/efficiency.html> - 100MB free storage!
>
>
Powered by blists - more mailing lists