Re: AIM Password theft

["Lothar Kimmeringer" <bugtraq () kimmeringer de>]

On Tue, 23 Sep 2003 10:53:59 -0400, Mark Coleman wrote:

> I just started investigating a report that appears to have merit of a 
> username/password theft of AIM accounts.
>
> Users are being directed to a web page located at www.haxr.org where the 
> source appears to run a javascript program that is proportedly stealing 
> AIM usernames/passwords/buddy lists.
>
> Does anyone have any information related to www. haxr.org or the 
> technique being used? 

The technique uses a flaw in Internet Explorer with the OBJECT-tag
allowing code to be executed locally that is loaded from a website.

The tag
<![CDATA[
<object data=tracker.php></object>
]]>
lets IE download a HTML-application that will be executed after
loading.

A testpage where you can test your locally installed Internet
Explorer for being vulnerable can be found at
http://www.heise.de/security/dienste/browsercheck/demos/ie/htacheck.shtml
If your installation is vulnerable, a program will be downloaded
to C:\browsercheck.exe that will executed afterwards leading to
a window popping up. The page is in German.


Regards, Lothar

-- 
Lothar Kimmeringer                E-Mail: mailbody () kimmeringer de
               PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
                 questions!



---------------------------------------------------------------------------
----------------------------------------------------------------------------