lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040102150236.9443497B44@cpo.tn.tudelft.nl>
From: emvs.fd.3FB4D11C at cpo.tn.tudelft.nl (Erik van Straten)
Subject: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV

On Thu, 1 Jan 2004 22:41:35 -0000 "http-equiv@...ite.com" wrote: 
[snip]
> Fully self-contained harmless *.exe: 
> 
> http://www.malware.com/exe-cute-html.zip
[snip]

This doesn't look like self-executing HTML - anyway.

[Disabling Mshta.exe]

Microsoft is _WRONG_ to have HTA interpreted by default, and not even
provide an option to disable it. All HTA's I've seen (quite some) were
malware.

To prevent this particular exploit from running, you may want to delete
or rename mshta.exe --At Your Own Risk--. I've done this on all boxes I
manage on 20030909 and haven't ran into problems. I've not restored
this after applying MS03-040, since lusers will click OK because they
don't know what an HTA is. Note: MS03-040 won't block this exploit, and
other browsers may invoke mshta.exe.

If mshta.exe is also in the DLLCache subdir, you may have to boot safe
mode with command prompt, and rename/delete it in both DLLCache and
System32.

Warning: do not boot Safe Mode With Networking, because then XP-ICF
(Internet Connection Firewall) does not run (thanks MS).

[Other Attack Vectors]

Unfortunately more attack vectors are possible. Please refrain from
publishing them, the point was made (you'll be helping "the patch"
morons et al, which backfires if they joe-job you or your site).

As a test I've just killbitted Shell.Application:

---------- cut here ----------
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{13709620-C279-11CE-A49E-444553540000}]
"Compatibility Flags"=dword:00000400
"Comments"="Shell.Application kill-bit/killbit 20040102"
"Reason#1"="http://seclists.org/lists/fulldisclosure/2004/Jan/0002.html"
"Reason#2"="Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV"
-------- end cut here --------

Watch out for line wraps; there should be 7 lines. The last 3 lines
are optional but help me locate why/what/when.

It prevents the exploit, however I don't know what this breaks; if
anyone knows, please respond to the list (no metoo's and "use another
browser" BS, please). Also: start a new thread+subject if you wish
to comment on the ICF issue, portscans, or blah.

Happy 04.
Erik


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ