Re: pure IE code injection

["NDR113 NDR113" <ndr113 () mad scientist com>]

----- Original Message -----
From: heyhey_ <heyhey_ () iname com>
Date: Sat, 23 Mar 2002 20:49:22 +0200
To: vuln-dev () securityfocus com
Subject: pure IE code injection


> hi al,
>
> I have successfully injected, executable code through .mhtml
> page on on my own development machine. pretty scary stuff.
>
> it seems that IE decodes all 'html attachments' inside Windows
> temporary folder (TEMP environment variable) so one can easily
> 'attach' executable code and all that he needs to do is to guess the
> temporary directory.
>
> Tested environment WinNT4 WS sp6+hotfixes, IE 6.0.2600.0000
>
> attached is my ugly test code (zipped .mhtml page). Extract the page,
> put it on some web server and access it from IE.
>
> IMPORTANT !
> .mhtml page contains Base64 encoded executable file (NT calc.exe) that
> may be executed on your local machine if your temporary directory is
> c:\temp or d:\temp
>
>
> P.S. Several friends made quick tests with following results:
> (I was unable top monitor tests, so results may be wrong)
>
> WinXP machine - unable to find extracted files on local HDD ??
> Win2K machine - unable to find extracted files on local HDD ??
> WinNT + IE 5.5 - file can be found inside
> C:/WINNT/Profiles/..../Local Settings/Temporary Internet Files/Content.IE5/QRAPUDEX/
> but is not automatically executed.
>
> -- 
> Best regards,
>  Ivan                          mailto:heyhey_ () iname com

i've done some testing and i found that
MS Windows 98 + MSIE 5.5 is also vulnerable to this bug :

Windows 98 + MSIE 5.5 - C:\windows\temporary internet files\Content.IE5\L97NNNDP\
&
C:\windows\temporary internet files\Content.IE5\6VIPAH6X\




-- 

_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Win the Ultimate Hawaiian Experience from Travelocity.
http://ad.doubleclick.net/clk;4018363;6991039;n?http://svc.travelocity.com/promos/winhawaii/