[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0I9A003LM3JAAO90@i_mtaout3.012.net.il>
From: avivra at 012.net.il (Aviv Raff)
Subject: YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2
Hi,
Somehow the POC does not work on both of my WinXPSP2 pro boxes.
Both are fully patched, but one is hardened and the other is after a clean
install.
After running the POC, the IE opens the Help window, but then freezes for a
couple of minutes.
After IE stops freezing, there is no Microsoft Office.hta on the startup
folder.
And yes, I'm running this on an Administrator account.
Can anyone else confirm this?
-- Aviv Raff
>From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the 'open
source' zealots in the morning?".
_____
From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of Michael
Evanchik
Sent: Friday, December 24, 2004 6:11 PM
To: full-disclosure@...ts.netsys.com; bugtraq@...urityfocus.com;
NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM; vuln@...nwatch.org
Subject: [Full-Disclosure] YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2
http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm
Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise
Dec, 21 2004
Vulnerable
----------
- Microsoft Internet Explorer 6.0
- Microsoft Windows XP Pro SP2
- Microsoft Windows XP Home SP2
Not Tested
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x
- Microsoft Windows 2003 Server
Severity
---------
Critical - Remote code execution, no user intervention
Proof of Concept?
------------------
- http://freehost07.websamba.com/greyhats/sp2rc.htm
- If an error is shown, press OK. This is normal.
- Notice in your startup menu a new file called Microsoft Office.hta. When
run, this file will download and launch a harmless executable (which
includes a pretty neat fire animation)
Michael Evanchik
Relationship1
p: 914-921-4400
f: 914-921-6007
mailto:mevanchik@...ationship1.com
web: http://www.relationship1.com
############################################################################
#########
This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro
Interscan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041225/f272e107/attachment.html
Powered by blists - more mailing lists