Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: local security workaround through IE

From: iwertheimer () KPMG COM (Wertheimer, Ishai)
Date: Thu, 6 Apr 2000 06:00:20 -0400

I'd like to add that I saw more than one case when you could run any app you
want through Winzip.

They wanted to enable the opportunity to zip files, but when any file is
accessed through Winzip you can 'open' it and exploit the whole system
(especially when they've left the Poledit in the public NetWare folder...)

Cheers,

Ishai Wertheimer

        -----Original Message-----
        From:   Javor Ninov [SMTP:javor () multigroup-bg com]
        Sent:   ? 05 ????? 2000 14:09
        To:     VULN-DEV () SECURITYFOCUS COM
        Subject:        Re: local security workaround through IE

        Another way to get a dos prompt is via OLE objects :-))
        Example:
        Start WordPad , goto menu INSERT , OBJECT, CREATE FROM FILE and type
        location of program you wish to start ( c:\command.com )

        ----- Original Message -----
        From: "Blue Boar" <BlueBoar () THIEVCO COM>
        To: <VULN-DEV () SECURITYFOCUS COM>
        Sent: Saturday, March 25, 2000 10:02 AM
        Subject: Re: local security workaround through IE

        > Knud Erik H?jgaard wrote:
        > >
        > > On many 'crippled' public computers (at libraries etc.) running
some
        sort
        > > of restriction software, its possible to use file/open/browse in
IE,
        type
        > > for instance c:\ as filename, and get a directory overview. Nice
for
        > > determining what kind of security software is running, (by
looking in
        > > 'program files' *doh daft admins*) deleting files etc. . This is
not a
        bug
        > > in IE, just bad programming from the software dudes...i guess?
        > > Right click the file you want to run, and instead of choosing
the top
        > > option called 'select', use #2 called 'open' ... sometimes
access is
        > > disallowed to certain files IE command.com etc. , but simply
downloading
        > > the file from somewhere else or copying it to another location
usually
        lets
        > > you run pretty much whatever you want.
        >
        > I've managed to get my prompt back on an NT box I was configuring
to be
        > a kiosk via Netscape.. I secured it a bit too much during one
round.:)
        > You can reconfigure just about any mime type to execute an
external
        > program, say explorer.exe.
        >
        > I had netscape set to be the shell.  It's easy to forget that
changing
        > everyone to no access overrides admin having any access, since
        > everyone includes admin, and no access overrides any other ACLs.
Whoops.
        >
        > > I've had loads of fun mass OOB'ing
        > > libraries from one of their own machines..yes i know its lame,
but i
        kind
        > > of like looking at 40 screens turning blue one after another..
        > >
        > > comments anyone ?
        > >
        >
        > Yes, winnuking is lame. :)
        >
        > That was patched a long time ago... they're still vulnerable?
        >
        > BB
        >
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: