lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0410201813190.25238@loki.ct.heise.de>
Date: Wed, 20 Oct 2004 18:55:53 +0200 (CEST)
From: Juergen Schmidt <ju@...sec.de>
To: Thor Larholm <thor@...x.com>
Cc: NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM, bugtraq@...urityfocus.com
Subject: Re: [Unpatched] New 0day exploit for XPSP2


On Wed, 20 Oct 2004, Thor Larholm wrote:

Hello Thor,

> When
> IE renders an IMG element it gives priority to the SRC attribute but
> when IE drops an IMG element on an arbitrary window it gives priority to
> the DYNSRC attribute. If you are able to reference any local content you
> can therefore drop the DYNSRC attribute of the IMG element on the window
> with local content and thereby plant a file on the file system in a
> known location.

Sorry that I do not understand your very interesting explanations.
I examined http-equivs demo, but he isn't using the DYNSRC attribute
anywhere near the drag&drop part.

The only file containing "dynsrc" is his pseudo database foobar.txt, which
is used in the last stage of the exploit, to download "code".

His drop source is included with a simple

<img src="malwarez"  width="30" height="30" style="cursor:hand" title="drag me!">

Absolutely no DYNSRC here.

So the question stays: malwarez carries no extension, it is a valid GIF
image, but when it is dropped, it is named "malwarez[1].htm"
The only explanation I have, is that the server declares
malwarez to be HTML:

# wget -S http://www.malware.com/malwarez
--18:41:25--  http://www.malware.com/malwarez
           => `malwarez'
 1 HTTP/1.0 200 OK
 ...
 8 Content-Type: text/html
                      ^^^^

So IE just uses the Content-Type to name this file.


bye, ju

--
Juergen Schmidt    Chefredakteur  heise Security   www.heisec.de
Heise Zeitschriften Verlag,  Helstorferstr. 7,  D-30625 Hannover
Tel. +49 511 5352 300 FAX +49 511 5352 417    EMail ju@...sec.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ