[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e92364c3050103045311078cba@mail.gmail.com>
From: jftucker at gmail.com (James Tucker)
Subject: YEY AGAIN Automatic
remotecompromiseofInternetExplorer Service Pack 2 XP SP2
Just throwing an idea out here....
On many systems, with more advanced users but less memory, I set the
Help and Support service to 'manual' start. This prevents the service
from being loaded on boot (about 30mb of memory saved, IIRC).
Does this affect these exploits?
N.B. There is a side effect to setting the service to manual, in some
cases the requested help page will not be viewed until the second call
to the help system, at which point two help windows will be displayed.
On Mon, 27 Dec 2004 11:57:24 -0500, Michael Evanchik
<mevanchik@...ationship1.com> wrote:
>
> works on around 30 people i know so far. Some it doesnt, You have to be
> admin, also view the source code you have to have the local html file in
> c:\windows\pchealth\helpctr\ ect specified
>
> Another could have been used
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.netsys.com
> [mailto:full-disclosure-bounces@...ts.netsys.com]On Behalf Of Ron Jackson
> Sent: Sunday, December 26, 2004 11:14 AM
> To: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] YEY AGAIN Automatic
> remotecompromiseofInternetExplorer Service Pack 2 XP SP2
>
>
>
>
> Hmm,
>
> Popped up a help window with a few lines of text in it?but that was it.
> No files in startup. Winxpsp2 fully patched, Sygate personal firewall,
> Adaware SE professional.
>
>
>
> ________________________________
>
>
> From: full-disclosure-bounces@...ts.netsys.com
> [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of Michael
> Evanchik
> Sent: Sunday, December 26, 2004 12:07 AM
> To: Aviv Raff; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote
> compromiseofInternetExplorer Service Pack 2 XP SP2
>
>
>
>
> try www.michaelevanchik.com/security/microsoft/ie/xss/index.html
>
>
>
>
>
> might be a little more reliable PoC
>
>
>
>
>
> 1) new not known by AVP codes
>
>
> 2) uses all start up menue languages
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Michael Evanchik [mailto:mevanchik@...ationship1.com]
> Sent: Saturday, December 25, 2004 9:11 PM
> To: Aviv Raff; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise
> ofInternetExplorer Service Pack 2 XP SP2
>
>
> Hi Aviv,
>
>
>
>
>
> Not sure what your issue is. This has been tested on many people, and it
> works on everyone. Maybe its your pop up blocker? Maybe its your AVP?
>
>
>
>
>
> This exploit is on Securityfocus and k-otik as they tested as well. Http
> equiv verified before any post was made to FD.
>
>
>
>
>
> In either case we did not code around pop up blockers nor around known virus
> strings. This PoC is not for blackhats kiddies.
>
>
>
>
>
> Mike
>
>
>
>
>
>
>
>
> www.michaelevanchik.com
>
>
>
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.netsys.com
> [mailto:full-disclosure-bounces@...ts.netsys.com]On Behalf Of Aviv Raff
> Sent: Saturday, December 25, 2004 7:47 AM
> To: full-disclosure@...ts.netsys.com; 'Michael Evanchik'
> Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise
> ofInternetExplorer Service Pack 2 XP SP2
>
>
> Hi,
>
>
>
>
>
> Somehow the POC does not work on both of my WinXPSP2 pro boxes.
>
>
> Both are fully patched, but one is hardened and the other is after a clean
> install.
>
>
>
>
>
> After running the POC, the IE opens the Help window, but then freezes for a
> couple of minutes.
>
>
> After IE stops freezing, there is no Microsoft Office.hta on the startup
> folder.
>
>
>
>
>
> And yes, I'm running this on an Administrator account.
>
>
>
>
>
> Can anyone else confirm this?
>
>
>
>
>
> -- Aviv Raff
> >From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the 'open
> source' zealots in the morning?".
>
>
>
>
>
>
>
>
> ________________________________
>
>
> From: full-disclosure-bounces@...ts.netsys.com
> [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of Michael
> Evanchik
> Sent: Friday, December 24, 2004 6:11 PM
> To: full-disclosure@...ts.netsys.com; bugtraq@...urityfocus.com;
> NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM; vuln@...nwatch.org
> Subject: [Full-Disclosure] YEY AGAIN Automatic remote compromise of
> InternetExplorer Service Pack 2 XP SP2
>
>
>
> http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm
>
>
>
>
>
> Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise
>
> Dec, 21 2004
>
> Vulnerable
> ----------
> - Microsoft Internet Explorer 6.0
> - Microsoft Windows XP Pro SP2
> - Microsoft Windows XP Home SP2
>
> Not Tested
> ------------------------
> - Microsoft Windows 98
> - Microsoft Internet Explorer 5.x
> - Microsoft Windows 2003 Server
>
>
>
> Severity
> ---------
> Critical - Remote code execution, no user intervention
>
> Proof of Concept?
> ------------------
> - http://freehost07.websamba.com/greyhats/sp2rc.htm
>
> - If an error is shown, press OK. This is normal.
>
> - Notice in your startup menu a new file called Microsoft Office.hta. When
> run, this file will download and launch a harmless executable (which
> includes a pretty neat fire animation)
>
>
>
>
>
>
>
> Michael Evanchik
>
> Relationship1
>
> p: 914-921-4400
>
> f: 914-921-6007
>
> mailto:mevanchik@...ationship1.com
>
> web: http://www.relationship1.com
>
>
>
>
>
>
> #####################################################################################
> This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro
> Interscan
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
Powered by blists - more mailing lists