[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87e395c80707022215v78f8a257q294fb9466771d80f@mail.gmail.com>
Date: Tue, 3 Jul 2007 13:15:22 +0800
From: "LIUDIEYU dot COM" <liudieyu.com@...il.com>
To: bugtraq@...urityfocus.com
Subject: Two Unpublished IE Cases
I'd like to publish two IE cases that I know about. Although it's too
late. These two cases have already been patched. Just want to get them
on the record here. Many complained that IE7's new features
roadblocked hacking into this app. Well, those features are like any
other Microsoft's public documents on infosec, they are just sales
pitch.
Talked the talk. Now walk the walk. Both are drag-and-drop remote code
execution. One executes code on reboot. The other runs instantly on
drag-and-drop. Cover up is done using the genius idea by "mikx" from
DE, making the operation look normal on screen. Standard Javascript
features.
The key is drag source and drop destination. Here are two cases:
*
DRAG SRC:
Local page's IFRAME pointing to ftp-or-smb folder containing payload file
(HTTP Redirection to res-protocol page containing IFRAME tag)
DROP DST:
SHELL:STARTUP or:
\\127.0.0.1\c$\Documents and Settings\Administrator\Start Menu\Programs\Startup
*
DRAG SRC:
Any draggable file
("Favorites" control)
DROP DST:
Shortcut file pointing to "C:\WINDOWS\SYSTEM32\mshta.exe" command with
parameters
(On contrary, shortcut file pointing to remote executable will issue a
confirmation dialog)
REFERENCE:
Previously published cases on this topic:
mikx
http://mikx.de/index.php?p=1
Andreas Sandblad and Michael Krax, "Independently"
http://secunia.com/advisories/11165/
Powered by blists - more mailing lists