lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041127232248.10160.qmail@www.securityfocus.com>
Date: 27 Nov 2004 23:22:48 -0000
From: Paul <paul@...yhats.cjb.net>
To: bugtraq@...urityfocus.com
Subject: Microsoft Help ActiveX Control Related Topics Local Content
    Accessing Vulnerability




Greyhats Security Group is back and we're ready to kick the crap out of sp2 :). Looks like all the vulnerabilities previously posted by us have been patched. Good work, Microsoft. We're not through yet, though. Here's proof that no matter how many millions of dollors you spend on security, there will always be things you missed.
 
Btw, I codenamed this LongNameVuln because its a lot easier to remember then Help ActiveX Control Related Topics Local Content Accessing Vulnerability :)

[Tested]
IEXPLORE.EXE file version 6.0.2900.2180
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP Home SP2 

[Discussion]
Recently, a security professional aliased http-equiv (malware.com) found a vulnerability in Microsoft's new Service Pack (SP2). What was required to compromise the victim's machine was the dragging of an specially-crafted into a folderview window, and then the clicking of a button. LongNameVuln is a more efficient way of acheiving this common goal of compromising the system. It removes the extra step of having to click a button in order to access a page on the local machine. It can be done easily. Using the Related Topics command of Microsoft's Help ActiveX Control, any page can be loaded into a target frame. Unfortuneatly, only addresses that actually point to a location can be used. This does not include protocols such as javascript and vbscript. However, we can still break out of the Internet Zone and open up a page in the local zone. That is what this vulnerability achieves. 

The example shows the picture of a garden which includes a carrot. Dragging the carrot to the bottom frame in the browser (set up to be the outside of the garden) will copy a file to PCHealth directory in C:\windows, which will then be launched, creating another file in the same directory called Greyhats.hta, which must be launched manually. The directory could easily be changed to shell:startup, however this is not necissary for this example. This is the same payload as given in NoCeegar on malware.com because my server doesn't have the capabilities to host the payload file like malware.com does :). 

View the example at http://freehost07.websamba.com/greyhats/longnamevuln.htm

Greets to
http-equiv
Micheal Evanchik


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ