Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Weld Pond's Response to The IE Bug, Reprinted from Bugtraq's

0 views
Skip to first unread message

The Pull

unread,
Jun 26, 2000, 3:00:00 AM6/26/00
to
Just to add, yeah, the path is wrong for w2k is all.


Path:
t
From:
we...@L0PHT.COM (Weld Pond)
Newsgroups:
muc.lists.bugtraq
Subject:
Re: Force Feeding
Date:
26 Jun 2000 20:46:03 +0200
Organization:
Mail2News Gateway at CameloT Online Services
Lines:
36
Approved:
ne...@camelot.de
Message-ID:

<Pine.BSO.4.21.000625...@0nus.l0pht.com>
References:

<414102.9618768278...@goochy.excite.com>
Reply-To:
Weld Pond <we...@L0PHT.COM>
NNTP-Posting-Host:
robin.camelot.de
Mime-Version:
1.0
Content-Type:
TEXT/PLAIN; charset=US-ASCII
X-Trace:
lancelot.camelot.de 962045163 82299 195.30.224.3 (26
Jun 2000 18:46:03 GMT)
X-Complaints-To:
ab...@camelot.de
NNTP-Posting-Date:
26 Jun 2000 18:46:03 GMT
Xref:
muc.lists.bugtraq:3094


Regarding the mars exploit demo at
http://members.xoom.com/malware/mars.mhtml. There seems to be two
seperate
problems being exploited here for the desired effect of downloading and
executing code.

You can get any local .exe to execute in IE by refering to it in the
CODEBASE parameter of an ActiveX object tag. The CLASSID can be anything
but all zeros. Here is a code snippet, courtesy of Dildog, which will
execute calc.exe if it is in c:\windows\system32\

<HTML>
<HEAD>
</HEAD>
<BODY>
<OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000'
CODEBASE='c:\windows\system32\calc.exe'></OBJECT>
</BODY></HTML>

The other problem is the fact that .exe files can get downloaded to your
local system without you being able to cancel the operation. I tested
the
malware exploit on win98 with medium security settings (the default) and
it worked as promised.

But what was far worse was it worked at the high security setting also.
A
warning message came up saying "Due to your security settings you cannot
download that file." You press OK and the file is downloaded anyway.
Then
it executes when used as the codebase of an ActiveX control.

The demo exploit won't work in W2K because the temp directory where the
.exe is downloaded to is "c:\documents and
settings\'username'\local settings\temp". If it is possible to get the
username through JavaScript and another ActiveX control it could
possibly
be made to work there also.

-weld

0 new messages