Full Disclosure mailing list archives
RE: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2
From: Aviv Raff <avivra () 012 net il>
Date: Sat, 25 Dec 2004 14:46:53 +0200
Hi, Somehow the POC does not work on both of my WinXPSP2 pro boxes. Both are fully patched, but one is hardened and the other is after a clean install. After running the POC, the IE opens the Help window, but then freezes for a couple of minutes. After IE stops freezing, there is no Microsoft Office.hta on the startup folder. And yes, I'm running this on an Administrator account. Can anyone else confirm this? -- Aviv Raff
From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the 'open
source' zealots in the morning?". _____ From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Michael Evanchik Sent: Friday, December 24, 2004 6:11 PM To: full-disclosure () lists netsys com; bugtraq () securityfocus com; NTBUGTRAQ () LISTSERV NTBUGTRAQ COM; vuln () vulnwatch org Subject: [Full-disclosure] YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise Dec, 21 2004 Vulnerable ---------- - Microsoft Internet Explorer 6.0 - Microsoft Windows XP Pro SP2 - Microsoft Windows XP Home SP2 Not Tested ------------------------ - Microsoft Windows 98 - Microsoft Internet Explorer 5.x - Microsoft Windows 2003 Server Severity --------- Critical - Remote code execution, no user intervention Proof of Concept? ------------------ - http://freehost07.websamba.com/greyhats/sp2rc.htm - If an error is shown, press OK. This is normal. - Notice in your startup menu a new file called Microsoft Office.hta. When run, this file will download and launch a harmless executable (which includes a pretty neat fire animation) Michael Evanchik Relationship1 p: 914-921-4400 f: 914-921-6007 mailto:mevanchik () relationship1 com web: http://www.relationship1.com ############################################################################ ######### This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro Interscan
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- YEY AGAIN Automatic remote compromise of Internet Explorer Service Pack 2 XP SP2 Michael Evanchik (Dec 24)
- RE: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 Aviv Raff (Dec 25)
- RE: YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2 Michael Evanchik (Dec 28)
- Re: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 morning_wood (Dec 27)
- RE: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 Aviv Raff (Dec 25)