Bugtraq mailing list archives
Re: Force Feeding
From: weld () L0PHT COM (Weld Pond)
Date: Sun, 25 Jun 2000 11:54:54 -0500
Regarding the mars exploit demo at http://members.xoom.com/malware/mars.mhtml. There seems to be two seperate problems being exploited here for the desired effect of downloading and executing code. You can get any local .exe to execute in IE by refering to it in the CODEBASE parameter of an ActiveX object tag. The CLASSID can be anything but all zeros. Here is a code snippet, courtesy of Dildog, which will execute calc.exe if it is in c:\windows\system32\ <HTML> <HEAD> </HEAD> <BODY> <OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000' CODEBASE='c:\windows\system32\calc.exe'></OBJECT> </BODY></HTML> The other problem is the fact that .exe files can get downloaded to your local system without you being able to cancel the operation. I tested the malware exploit on win98 with medium security settings (the default) and it worked as promised. But what was far worse was it worked at the high security setting also. A warning message came up saying "Due to your security settings you cannot download that file." You press OK and the file is downloaded anyway. Then it executes when used as the codebase of an ActiveX control. The demo exploit won't work in W2K because the temp directory where the .exe is downloaded to is "c:\documents and settings\'username'\local settings\temp". If it is possible to get the username through JavaScript and another ActiveX control it could possibly be made to work there also. -weld
Current thread:
- Force Feeding http-equiv () excite com (Jun 24)
- Re: Force Feeding David LeBlanc (Jun 24)
- Re: Force Feeding Dimitry Andric (Jun 26)
- Re: Force Feeding Philip Stoev (Jun 28)
- Re: Force Feeding David LeBlanc (Jun 28)
- Re: Force Feeding Weld Pond (Jun 25)
- Re: Force Feeding M. Burnett (Jun 26)
- Re: Force Feeding Phonix (Jun 27)
- [suse-security-announce] SuSE Security Announcement: wuftpd-2.6 (fwd) Daniel T. Chen (Jun 27)
- DoS in FirstClass Internet Services 5.770 Adam Prime (Jun 27)
- [slackware-security] wu-ftpd remote exploit patched Christopher Kager (Jun 28)
- [SECURITY] New verion of dhcp released debian-security-announce () LISTS DEBIAN ORG (Jun 28)
- Security Bulletins Digest patrick () PINE NL (Jun 28)
- Bypassing Warnings For Invalid SSL Certificates, Part Two Frank Knobbe (Jun 28)
- NT DNS Server leaks administrator account name in SOA record Roy Hills (Jun 26)
- Re: NT DNS Server leaks administrator account name in SOA record Mikael Olsson (Jun 26)
(Thread continues...)
- Re: Force Feeding David LeBlanc (Jun 24)