Full Disclosure mailing list archives

Re: Internet explorer 6 on windows XP allows exection of arbitrary code

From: "Thor Larholm" <thor () pivx com>
Date: Thu, 11 Sep 2003 16:02:11 -0700

The new addition here is abusing how you are able to load a ressource file,
residing in a  local security zone, into a window object. Service Pack 1 for IE6
did a lot to deter this on most regular window objects, but should have extended
that effort to searchpanes as well. Seeing as the content of a search pane can
be any registered COM extension to IE, perhaps more should be done to completely
separate these from the reach of ordinary scripting.

Combining the mediabar ressource loading with the file-protocol proxy
demonstrates just how effectively one can combine several vulnerabilities to
achieve a higher level of automation in planting and executing files. The media
bar ressource loading, and any other ressource loading technique, can be
combined with any other cross-domain scripting vulnerability to achieve the same
result.

We will definitely see more combinatorial vulnerabilities in the time to come.


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities


----- Original Message ----- 
From: "jelmer" <jkuperus () planet nl>
To: <bugtraq () securityfocus com>
Cc: <full-disclosure () lists netsys com>
Sent: Thursday, September 11, 2003 3:31 PM
Subject: [Full-disclosure] Internet explorer 6 on windows XP allows exection of
arbitrary code

Internet explorer 6 on windows XP allows exection of arbitrary code

DESCRIPTION :

Yesterday Liu Die Yu released a number series of advisories concerning
internet explorer
by combining on of these issues with an earlier issue I myself reported a
while back
You can construct a specially crafted webpage that can take any action on a
users system
including but not limited to, installing trojans, keyloggers, wiping the
users harddrive etc.

<snip
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 11)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Kristian Hermansen (Sep 11)
  - Re: Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 12)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Thor Larholm (Sep 11)
  - Re: Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Dj MegaWorld (Sep 12)
- <Possible follow-ups>
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code http-equiv () excite com (Sep 12)
  - RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Drew Copley (Sep 12)