Full Disclosure mailing list archives
Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV
From: "Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>
Date: Fri, 2 Jan 2004 16:02:34 +0100
On Thu, 1 Jan 2004 22:41:35 -0000 "http-equiv () excite com" wrote: [snip]
Fully self-contained harmless *.exe: http://www.malware.com/exe-cute-html.zip
[snip] This doesn't look like self-executing HTML - anyway. [Disabling Mshta.exe] Microsoft is _WRONG_ to have HTA interpreted by default, and not even provide an option to disable it. All HTA's I've seen (quite some) were malware. To prevent this particular exploit from running, you may want to delete or rename mshta.exe --At Your Own Risk--. I've done this on all boxes I manage on 20030909 and haven't ran into problems. I've not restored this after applying MS03-040, since lusers will click OK because they don't know what an HTA is. Note: MS03-040 won't block this exploit, and other browsers may invoke mshta.exe. If mshta.exe is also in the DLLCache subdir, you may have to boot safe mode with command prompt, and rename/delete it in both DLLCache and System32. Warning: do not boot Safe Mode With Networking, because then XP-ICF (Internet Connection Firewall) does not run (thanks MS). [Other Attack Vectors] Unfortunately more attack vectors are possible. Please refrain from publishing them, the point was made (you'll be helping "the patch" morons et al, which backfires if they joe-job you or your site). As a test I've just killbitted Shell.Application: ---------- cut here ---------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{13709620-C279-11CE-A49E-444553540000}] "Compatibility Flags"=dword:00000400 "Comments"="Shell.Application kill-bit/killbit 20040102" "Reason#1"="http://seclists.org/lists/fulldisclosure/2004/Jan/0002.html" "Reason#2"="Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV" -------- end cut here -------- Watch out for line wraps; there should be 7 lines. The last 3 lines are optional but help me locate why/what/when. It prevents the exploit, however I don't know what this breaks; if anyone knows, please respond to the list (no metoo's and "use another browser" BS, please). Also: start a new thread+subject if you wish to comment on the ICF issue, portscans, or blah. Happy 04. Erik _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV http-equiv () excite com (Jan 01)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Erik van Straten (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV morning_wood (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Jelmer Kuperus (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Will Image (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV morning_wood (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Thor Larholm (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV morning_wood (Jan 02)
- RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Bojan Zdrnja (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Erik van Straten (Jan 02)
- <Possible follow-ups>
- RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV tlarholm (Jan 02)
- RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV tlarholm (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV http-equiv () excite com (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV JacK (Jan 03)