Re: XML scripting in IE, Outlook Express

From: http-equivat_private
Date: Thu Apr 26 2001 - 09:10:14 PDT

  • Next message: debian-security-announceat_private: "[SECURITY] [DSA-053-1] nedit symlink attack" 

    Reference the subject. The problem appears to be both simple and complex.
The purpose of the exercise to disable ONLY active scripting in Internet
Explorer.  Accordingly the demo works despite patching everything including
WSH 5.5 and disabling ActiveScripting.  Can confirm from these quarters on
win98 and IE5.5 full patched.

It seems most are either setting security to high, which disables ActiveX,
this is returning the xml script error or manually disabling both
ActiveScripting and ActiveX resulting in the same.

Set or leave the security settings on default and only disable
ActiveScripting.

The following are *absolute* bare minimum demos. Note that what is at play
is scripting:

a=new ActiveXObject('htmlfile');
a.location=

What these will do is spawn a new window despite active scripting being
disabled. In both the browser and the mail client. Particularly useful for
Spam email and Usenet when everyone thinks scripting is disabled. Again:
these demos are the bare minimum in order to demonstrate:

IE5.5.- ActiveScripting Disabled

http://www.malware.com/spawn.html

OE5.5. - ActiveScripting Disabled

[save to disk and open in mail client]

http://www.malware.com/spawn.eml

Once again: bare minimum demos for demo purposes only, someone can spend
their own time developing into workable risk, however the original poster's
demo should work just fine.

Further, we can crash everything that touches this extremely hard. Both
IE5.5. and OE.5.5. Stripping the already bare minimum demos, in IE5.5. we
achieve:

IEXPLORE caused an invalid page fault in
module MSHTML.DLL at 015f:020bf7be.
Registers:
EAX=00000000 CS=015f EIP=020bf7be EFLGS=00010202
EBX=00000000 SS=0167 ESP=023ef698 EBP=023ef6c4
ECX=0135f9f0 DS=0167 ESI=023ef748 FS=4367
EDX=00000005 ES=0167 EDI=00000000 GS=0000
Bytes at CS:EIP:
80 78 2e 00 74 19 ff 70 54 8b 45 f8 83 c0 68 50
Stack dump:
00442968 00000000 00000000 00000000 00000000 023ef6cc 020bf5d9 023ef738
00442968 0135fa40 00000000 023ef76c 020c05be 0135f9e4 00000000 00000000

Working demo:

[save to disk and open in mail client]

http://www.malware.com/crash.html

and in OE5.5

MSIMN caused an invalid page fault in
module MSHTML.DLL at 015f:01c9f7be.
Registers:
EAX=00000000 CS=015f EIP=01c9f7be EFLGS=00010202
EBX=00000000 SS=0167 ESP=042bf698 EBP=042bf6c4
ECX=01ed3f20 DS=0167 ESI=042bf748 FS=311f
EDX=00000005 ES=0167 EDI=00000000 GS=0000
Bytes at CS:EIP:
80 78 2e 00 74 19 ff 70 54 8b 45 f8 83 c0 68 50
Stack dump:
0162446c 00000000 00000000 00000000 00000000 042bf6cc 01c9f5d9 042bf738
0162446c 01ed3100 00000000 042bf76c 01ca05be 01ed3f14 00000000 00000000

Working demo:

[save to disk and open in mail client]

http://www.malware.com/crash.eml


All tested in win98 fully patched, IE5.5. fully patched [everything], OE5.5.
Security settings on IE5.5. at default + SCRIPTING DISABLED and OE5.5.
security settings RESTRICTED (coupled with browser setting of scripting
disabled). Other configurations/systems may differ.


---
http://www.malware.com









_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/

    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 23:08:46 PDT