Vulnerability Development mailing list archives
DevDoc ActiveX Cookie
From: Рягин Михаил Юрьевич <ryagin () EXTRIM RU>
Date: Wed, 8 Nov 2000 12:55:55 +0500
There is an ActiveX object, included for example, in Microsft MSDN (develper's e-library), marked as safe for scripting, which allows to store special "dev-cookies" on user computer. Dev-Cookie is a named string of length <=126. Name is limited to 127 characters. It is saved under HKCU\Software\Microsoft\DevDoc\Cookie registry key and keeps being available even after system reboots. Example code: ------cut here----- <OBJECT CLASSID="clsid:59CC0C20-679B-11D2-88BD-0800361A1803" WIDTH=100 HEIGHT=100 ID="Cook"> </OBJECT> <A HREF="javascript:Cook.putValue('windows','suxx');">put</A> <A HREF="javascript:var c=Cook.getValue('windows'); alert('windows is '+c);">get</A> -----cut there----- First, click on 'put' link. Second, close you browser window. You can even reboot your PC. Third, click on 'get' link. The malicious code is in the %Program Files%\Common Files\Microsoft Shared\MSDN\CookDoc.dll. Tested on: Windows 2000, Windows 98, MSDN April 99, January 2000
Current thread:
- DevDoc ActiveX Cookie Рягин Михаил Юрьевич (Nov 09)