lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FCAD9F541A8E8A44881527A6792F892C33C2AB@owa.eeye.com>
From: dcopley at eEye.com (Drew Copley)
Subject: Re: IE Shell URI Download and Execute, POC

 

> -----Original Message-----
> From: Ferruh Mavituna [mailto:ferruh@...ituna.com] 
> Sent: Wednesday, July 14, 2004 7:52 AM
> To: 'L33tPrincess'; bugtraq@...urityfocus.com; 
> full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Re: IE Shell URI Download and 
> Execute, POC
> 
> > Is the vulnerability mitigated by
> > today's Microsoft patch?
> 
> Both of POCs are working well (at least in my system -W2K3 
> all patches-)
> after recent MS patches.
> 
> Can anyone confirm this ?

I can not. Wscript was deactivated with Guninski's WSH bug
a long time ago. I just tested running wscript in the My
Computer zone. It prompts as an unsafe activex.

However, Microsoft needs to get on the ball here and secure
that zone or make it trivial for their customers to do so. (Kudos
for their link on their security page, but that kind of
thing is targetted to IT professionals -- not to the masses...
and they can figure that out by themselves already.)

I also noticed the shell: path url does work as a source in
an iframe.




> 
> 
> Ferruh.Mavituna
> http://ferruh.mavituna.com
> PGPKey : http://ferruh.mavituna.com/PGPKey.asc
> 
> > -----Original Message-----
> > From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-
> > admin@...ts.netsys.com] On Behalf Of L33tPrincess
> > Sent: Wednesday, July 14, 2004 5:34 AM
> > To: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] Re: IE Shell URI Download and 
> Execute, POC
> > 
> > Ferruh,
> > Is this a new variant (wscript.shell)?  Is the 
> vulnerability mitigated by
> > today's Microsoft patch?
> > 
> > 
> > 
> > Hello;
> > 
> > Code is based on 
> http://www.securityfocus.com/archive/1/367878 (POC by
> > Jelmer) message. I just added a new feature "download" and 
> then execute
> > application. Also I use Wscript.Shell in Javascript instead of
> > Shell.Application.
> > 
> > ________________________________
> > 
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail
> > 
> <http://us.rd.yahoo.com/mail_us/taglines/100/*http://promotion
> s.yahoo.com/
> > new_mail/static/efficiency.html>  - 100MB free storage!
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ