lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42137926.8080101@gecadnet.ro>
Date: Wed, 16 Feb 2005 18:47:34 +0200
From: Valentin Avram <vavram@...adnet.ro>
To: bugtraq@...urityfocus.com
Subject: [Full Disclosure] Using DHTML XSS to launch HHCTRL exploit


[Full Disclosure] Using DHTML XSS to launch HHCTRL exploit

GeCAD NET Security Advisory 2005.02.16
Original notice (requires authentication):
http://www.gecadnet.ro/windows/?AID=1414
February 16th 2005

1. Past Events

On January 20th 2005, GeCAD NET released a security advisory warning
that the exploit for the HHCTRL vulnerability can still be used on an
attack by using another known (and at that time unpatched) vulnerability
in Microsoft Internet Explorer. Patched up-to-date Windows XP SP1 and
Windows 2000 SP4 systems were confirmed as vulnerable.

On February 8th 2005 Microsoft released a set of security patches. One
of them, MS05-013, fixes the DHTML Editing Component ActiveX Control
Cross-Site Scripting vulnerability, which was the one GeCAD NET used in
order to launch the HHCTRL exploit.

2. Description

The alert mentioned in the header contains a Full Disclosure of this
issue. Proof-of-Concept code is also provided.

3. Conclusion

If the target system is not patched with MS05-013, a remote attacker
might prepare a specially crafted webpage that when loaded in Internet
Explorer, it will allow execution of attacker controller code on the
target system, thus leading to system security compromise.

4. Tests conducted and results

GeCAD NET confirms that this attack vector is blocked on the systems
patched with MS05-013.

Windows XP Service Pack 2 seems not to be vulnerable to this attack
method. However, it is strongly advised users apply the patch in order
to fix the XSS vulnerability.

5. Events

01/18/2005   Exploit created and tested
01/19/2005   Vendor notified
01/20/2005   Vendor response
01/20/2005   Public warning
02/08/2005   Patch released
02/16/2005   Full Disclosure

6. Legal Notices

Copyright (c) 2005 GeCAD NET (member of GeCAD Group)

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without written consent
of GeCAD NET. If you wish to reprint the whole or any part of this alert
in any other medium other than electronically, please email
support@...ad.ro for permission.

Disclaimer:
The content of this alert is believed to be accurate at the time of
publishing based on currently available information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ