Vulnerability Development mailing list archives
RE: Rather large MSIE-hole
From: "Tiago Halm" <thalm () hotmail com>
Date: Sat, 16 Mar 2002 04:42:39 +0000
After a little testing over this MSIE hole I believe IE has (in this matter) two flaws.
1º: There is an obvious bug in the HTML OBJECT tag rendering process The HTML code can even be written like<OBJECT NAME='X' CLASSID='CLSID:aaaaaaaa' CODEBASE='file://c:\windows\system32\cmd.exe'></OBJECT>
As you see the CLASSID only needs the first 8 hexadecimal values. The CODEBASE can be any pluggable protocol like file: ftp: res: http: about: 2º: A popup window doesn't run within the browser security settings If you try the above code in a normal HTML page like: <html> <body><OBJECT NAME='X' CLASSID='CLSID:aaaaaaaa' CODEBASE='file://c:\windows\system32\cmd.exe'></OBJECT>
</body> </html>The ActiveX control being downloaded is treated like an unsigned ActiveX control. If you then go to the security settings of your browser and set the "download unsigned ActiveX controls" option to "prompt" then you'll get a warning message saying "Authenticode signature not found" and asking you to choose what to do. This behavior should ocurr when the popup window is shown and it's HTML code rendered.
Finally, when I tried to run "Event Viewer" as<OBJECT NAME='X' CLASSID='CLSID:aaaaaaaa' CODEBASE='file://c:\windows\system32\eventvwr.exe'></OBJECT>
The event viewer seems to receive a parameter "Program" because before showing the Event Viewer MMC, it states the following:
------------------------------------------------------------- Unable to connect to the computer "Program". The error was: The network path was not found. ------------------------------------------------------------- It's rather strange... Tiago Halm _________________________________________________________________MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
Current thread:
- Re: Rather large MSIE-hole, (continued)
- Re: Rather large MSIE-hole jon schatz (Mar 14)
- RE: Rather large MSIE-hole Chad Thunberg (Mar 15)
- Re: Rather large MSIE-hole Joerg Over (Mar 15)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- RE: Rather large MSIE-hole John Swensson (Mar 14)
- Re: Rather large MSIE-hole NoCoNFLiC (Mar 15)
- Re: Rather large MSIE-hole The Blueberry (Mar 14)
- RE: Rather large MSIE-hole Keith Tyler (Mar 15)
- Re: Rather large MSIE-hole Slow2Show (Mar 15)
- RE: Rather large MSIE-hole Tiago Halm (Mar 16)