Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Microsoft Help ActiveX Control Related Topics Local Content Accessing

from [Paul] Network Security [Permanent Link]
Subject: Microsoft Help ActiveX Control Related Topics Local Content Accessing Vulnerability
Date: 27 Nov 2004 23:22:48 -0000 


Greyhats Security Group is back and we're ready to kick the crap out of sp2 :). 
Looks like all the vulnerabilities previously posted by us have been patched. 
Good work, Microsoft. We're not through yet, though. Here's proof that no 
matter how many millions of dollors you spend on security, there will always be 
things you missed.
 
Btw, I codenamed this LongNameVuln because its a lot easier to remember then 
Help ActiveX Control Related Topics Local Content Accessing Vulnerability :)

[Tested]
IEXPLORE.EXE file version 6.0.2900.2180
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP Home SP2 

[Discussion]
Recently, a security professional aliased http-equiv (malware.com) found a 
vulnerability in Microsoft's new Service Pack (SP2). What was required to 
compromise the victim's machine was the dragging of an specially-crafted into a 
folderview window, and then the clicking of a button. LongNameVuln is a more 
efficient way of acheiving this common goal of compromising the system. It 
removes the extra step of having to click a button in order to access a page on 
the local machine. It can be done easily. Using the Related Topics command of 
Microsoft's Help ActiveX Control, any page can be loaded into a target frame. 
Unfortuneatly, only addresses that actually point to a location can be used. 
This does not include protocols such as javascript and vbscript. However, we 
can still break out of the Internet Zone and open up a page in the local zone. 
That is what this vulnerability achieves. 

The example shows the picture of a garden which includes a carrot. Dragging the 
carrot to the bottom frame in the browser (set up to be the outside of the 
garden) will copy a file to PCHealth directory in C:\windows, which will then 
be launched, creating another file in the same directory called Greyhats.hta, 
which must be launched manually. The directory could easily be changed to 
shell:startup, however this is not necissary for this example. This is the same 
payload as given in NoCeegar on malware.com because my server doesn't have the 
capabilities to host the payload file like malware.com does :). 

View the example at http://freehost07.websamba.com/greyhats/longnamevuln.htm

Greets to
http-equiv
Micheal Evanchik
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Microsoft Help ActiveX Control Related Topics Local Content Accessing Vulnerability, Paul <=
Previous by Date:  Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception, Heikki Toivonen
Next by Date:  [Full-Disclosure] Macromedia provided wrong "Solution" in mpsb02-08, Liu Die Yu
Previous by Thread:  Setiri + Invisible browsers != browsers, Haroon Meer
Next by Thread:  [Full-Disclosure] Macromedia provided wrong "Solution" in mpsb02-08, Liu Die Yu
Indexes:  [Date] [Thread] [Top] [All Lists]