Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV

From: "Thor Larholm" <thor () pivx com>
Date: Fri, 2 Jan 2004 19:14:46 -0800
From: "morning_wood" <se_cur_ity () hotmail com>
running "malware.html" locally does produce the desired results, but then
again...



The exploit is intended and created to be run locally from a local security
zone - getting to a local zone in the first place requires other
vulnerabilities.


i can get any html to execute locally calling a remote location for the

code, as

long as its run from the local machine.


There are several steps involved in most of all IE command execution
exploits, some of these involve downloading and executing a file once you
are already in a local security zone. What http-equiv did was to simplify
that part of the process by using the Shell.Application object.



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
949-231-8496

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: