lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: thor at pivx.com (Thor Larholm)
Subject: Self-Executing HTML: Internet Explorer 5.5	and 6.0 Part IV

> From: "morning_wood" <se_cur_ity@...mail.com>
> running "malware.html" locally does produce the desired results, but then
> again...


The exploit is intended and created to be run locally from a local security
zone - getting to a local zone in the first place requires other
vulnerabilities.

> i can get any html to execute locally calling a remote location for the
code, as
> long as its run from the local machine.

There are several steps involved in most of all IE command execution
exploits, some of these involve downloading and executing a file once you
are already in a local security zone. What http-equiv did was to simplify
that part of the process by using the Shell.Application object.



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
949-231-8496

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>


Powered by blists - more mailing lists