Vulnerability Development mailing list archives
Re: pure IE code injection
From: "NDR113 NDR113" <ndr113 () mad scientist com>
Date: Sun, 24 Mar 2002 08:20:32 -0500
----- Original Message ----- From: heyhey_ <heyhey_ () iname com> Date: Sat, 23 Mar 2002 20:49:22 +0200 To: vuln-dev () securityfocus com Subject: pure IE code injection
hi al, I have successfully injected, executable code through .mhtml page on on my own development machine. pretty scary stuff. it seems that IE decodes all 'html attachments' inside Windows temporary folder (TEMP environment variable) so one can easily 'attach' executable code and all that he needs to do is to guess the temporary directory. Tested environment WinNT4 WS sp6+hotfixes, IE 6.0.2600.0000 attached is my ugly test code (zipped .mhtml page). Extract the page, put it on some web server and access it from IE. IMPORTANT ! .mhtml page contains Base64 encoded executable file (NT calc.exe) that may be executed on your local machine if your temporary directory is c:\temp or d:\temp P.S. Several friends made quick tests with following results: (I was unable top monitor tests, so results may be wrong) WinXP machine - unable to find extracted files on local HDD ?? Win2K machine - unable to find extracted files on local HDD ?? WinNT + IE 5.5 - file can be found inside C:/WINNT/Profiles/..../Local Settings/Temporary Internet Files/Content.IE5/QRAPUDEX/ but is not automatically executed. -- Best regards, Ivan mailto:heyhey_ () iname com
i've done some testing and i found that MS Windows 98 + MSIE 5.5 is also vulnerable to this bug : Windows 98 + MSIE 5.5 - C:\windows\temporary internet files\Content.IE5\L97NNNDP\ & C:\windows\temporary internet files\Content.IE5\6VIPAH6X\ -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Win the Ultimate Hawaiian Experience from Travelocity. http://ad.doubleclick.net/clk;4018363;6991039;n?http://svc.travelocity.com/promos/winhawaii/
Current thread:
- pure IE code injection heyhey_ (Mar 23)
- RE: pure IE code injection Tiago Halm (Mar 23)
- <Possible follow-ups>
- Re: pure IE code injection NDR113 NDR113 (Mar 24)