Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

HijackClick 3

From: Paul <paul () greyhats cjb net>
Date: 11 Jul 2004 15:53:15 -0000


Note: This vulnerability as well as several more can be found at http://www.greyhats.cjb.net

HijackClick 3!!!
Took the name from Liu Die Yu :) 

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2 

[Discussion]
The HijackClick series have been used to force a drag and drop event simply from the user clicking a something. This is 
done by moving the window when onmousedown fires. Previously, window.moveBy/To has been used. This has been patched. 
Apparently, window.resizeBy/To would work too because it gives access denied if it tries to execute when onmousedown 
fires. Microsoft just disabled those functions from being called when the mouse button is down and called it patched. 
No more hijackclick, right?

Wrong. 

Popup.show() allows you to show a popup with desired left, top, height, and width values. The show() function doesnt 
give access denied when we call it on mousedown. Let's try it with a link on a popup. I'll make show() move the popup 
off the screen. Does it work? Yes, it changes the cursor. Good. A drag event just took place. With a little 
fine-tuning, we can make it show the popup on loading of the main window, move the popup and show a favorites list on 
mousedown, and set a timer to hide the favorites list and taunt the victim who just got tricked into adding a link of 
our choice to their favorites list :).

[Example]
http://freehost07.websamba.com/greyhats/hijackclick3.htm

And when you patch this one, Microsoft, please remember to patch the show() function method cache part, too. You don't 
want HijackClick4, do you? ;)
Previous By Date Next
Previous By Thread Next

Current thread: