[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY17-F37foV1qdiixj000495a4@hotmail.com>
From: lise_moorveld at hotmail.com (Lise Moorveld)
Subject: IE exploit going around on irc
Hello,
What I find interesting is that SecurityFocus links the "IE ms-its: and
mk:@MSITStore: vulnerability" paper by Roozbeh Afrasiabi (
http://www.securityfocus.com/archive/1/358913 ) to the "Microsoft Internet
Explorer Unspecified CHM File Processing Arbitrary Code Execution
Vulnerability (bid 9658)" posting by K-otic (
http://www.securityfocus.com/archive/1/354447 ).
They do this in BID 9658 ( http://www.securityfocus.com/bid/9658 ).
I think SecurityFocus got this wrong...
The issue referred to by K-otic is the exploit where you use a non-existant
mht file and an exclamation mark like so:
ms-its:mhtml:file://c:\yada.mhtml!http://www.example.com/compiledhelpfile.chm:/htmlfile.html
also described in Cert advisory VU#323070 (
http://www.kb.cert.org/vuls/id/323070 )
and CVE ID: CAN-2004-0380
... Roozbeh Afrasiabi doesn't use this construction anywhere in his paper...
what he DOES use, however (amongst others), is the directory-traversal
style thingy:
mk:@MSITStore:iexplore.chm::..\\..\\..\\..\\program
files\\winamp\\skins\\x.wsz::\winamp.htm
Now, I don't claim to fully grasp the Roozbeh paper either, but he does make
a reference to Arman Nayyeri, and what I think is the following post: "IE
5.x-6.0 allows executing arbitrary programs using showHelp()" (
http://archives.neohapsis.com/archives/bugtraq/2003-12/0337.html )
Oh, and Nayyeri claims Jelmer helped him with this, so Jelmer might be able
to shed some light :)
To return to this thread, the original posting by Niek Baakman mentions the
exclamation mark issue
http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1726.html
And in a reply, Thor refers to the directory traversal-style issue (or at
least the Roozbeh paper):
http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1785.html
Anyway, do you guys think I'm right in thinking these are seperate issues?
Bye,
Lise
_________________________________________________________________
Limited-time offer: Fast, reliable MSN 9 Dial-up Internet access FREE for 2
months!
http://join.msn.com/?page=dept/dialup&pgmarket=en-us&ST=1/go/onm00200361ave/direct/01/
Powered by blists - more mailing lists