lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87e395c80707022215v78f8a257q294fb9466771d80f@mail.gmail.com>
Date: Tue, 3 Jul 2007 13:15:22 +0800
From: "LIUDIEYU dot COM" <liudieyu.com@...il.com>
To: bugtraq@...urityfocus.com
Subject: Two Unpublished IE Cases

I'd like to publish two IE cases that I know about. Although it's too
late. These two cases have already been patched. Just want to get them
on the record here. Many complained that IE7's new features
roadblocked hacking into this app. Well, those features are like any
other Microsoft's public documents on infosec, they are just sales
pitch.

Talked the talk. Now walk the walk. Both are drag-and-drop remote code
execution. One executes code on reboot. The other runs instantly on
drag-and-drop. Cover up is done using the genius idea by "mikx" from
DE, making the operation look normal on screen. Standard Javascript
features.

The key is drag source and drop destination. Here are two cases:

*
DRAG SRC:
Local page's IFRAME pointing to ftp-or-smb folder containing payload file
(HTTP Redirection to res-protocol page containing IFRAME tag)
DROP DST:
SHELL:STARTUP or:
\\127.0.0.1\c$\Documents and Settings\Administrator\Start Menu\Programs\Startup

*
DRAG SRC:
Any draggable file
("Favorites" control)
DROP DST:
Shortcut file pointing to "C:\WINDOWS\SYSTEM32\mshta.exe" command with
parameters
(On contrary, shortcut file pointing to remote executable will issue a
confirmation dialog)

REFERENCE:

Previously published cases on this topic:

mikx
http://mikx.de/index.php?p=1

Andreas Sandblad and Michael Krax, "Independently"
http://secunia.com/advisories/11165/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ