Full Disclosure mailing list archives
RE: YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2
From: "Michael Evanchik" <mevanchik () relationship1 com>
Date: Sun, 26 Dec 2004 00:07:22 -0500
try www.michaelevanchik.com/security/microsoft/ie/xss/index.html might be a little more reliable PoC 1) new not known by AVP codes 2) uses all start up menue languages -----Original Message----- From: Michael Evanchik [mailto:mevanchik () relationship1 com] Sent: Saturday, December 25, 2004 9:11 PM To: Aviv Raff; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2 Hi Aviv, Not sure what your issue is. This has been tested on many people, and it works on everyone. Maybe its your pop up blocker? Maybe its your AVP? This exploit is on Securityfocus and k-otik as they tested as well. Http equiv verified before any post was made to FD. In either case we did not code around pop up blockers nor around known virus strings. This PoC is not for blackhats kiddies. Mike www.michaelevanchik.com -----Original Message----- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com]On Behalf Of Aviv Raff Sent: Saturday, December 25, 2004 7:47 AM To: full-disclosure () lists netsys com; 'Michael Evanchik' Subject: RE: [Full-disclosure] YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2 Hi, Somehow the POC does not work on both of my WinXPSP2 pro boxes. Both are fully patched, but one is hardened and the other is after a clean install. After running the POC, the IE opens the Help window, but then freezes for a couple of minutes. After IE stops freezing, there is no Microsoft Office.hta on the startup folder. And yes, I'm running this on an Administrator account. Can anyone else confirm this? -- Aviv Raff From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the 'open source' zealots in the morning?". ---------------------------------------------------------------------------- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Michael Evanchik Sent: Friday, December 24, 2004 6:11 PM To: full-disclosure () lists netsys com; bugtraq () securityfocus com; NTBUGTRAQ () LISTSERV NTBUGTRAQ COM; vuln () vulnwatch org Subject: [Full-disclosure] YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise Dec, 21 2004 Vulnerable ---------- - Microsoft Internet Explorer 6.0 - Microsoft Windows XP Pro SP2 - Microsoft Windows XP Home SP2 Not Tested ------------------------ - Microsoft Windows 98 - Microsoft Internet Explorer 5.x - Microsoft Windows 2003 Server Severity --------- Critical - Remote code execution, no user intervention Proof of Concept? ------------------ - http://freehost07.websamba.com/greyhats/sp2rc.htm - If an error is shown, press OK. This is normal. - Notice in your startup menu a new file called Microsoft Office.hta. When run, this file will download and launch a harmless executable (which includes a pretty neat fire animation) Michael Evanchik Relationship1 p: 914-921-4400 f: 914-921-6007 mailto:mevanchik () relationship1 com web: http://www.relationship1.com ############################################################################ ######### This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro Interscan
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2 Michael Evanchik (Jan 06)
- <Possible follow-ups>
- RE: YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2 Michael Evanchik (Jan 06)
- RE: YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2 Michael Evanchik (Jan 06)