[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Re: IE Shell URI Download and Execute, POC

To: "Ferruh Mavituna" <ferruh@xxxxxxxxxxxx>, "L33tPrincess" <l33tprincess@xxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] Re: IE Shell URI Download and Execute, POC
From: "Drew Copley" <dcopley@xxxxxxxx>
Date: Wed, 14 Jul 2004 12:30:55 -0700

 

> -----Original Message-----
> From: Ferruh Mavituna [mailto:ferruh@xxxxxxxxxxxx] 
> Sent: Wednesday, July 14, 2004 7:52 AM
> To: 'L33tPrincess'; bugtraq@xxxxxxxxxxxxxxxxx; 
> full-disclosure@xxxxxxxxxxxxxxxx
> Subject: RE: [Full-Disclosure] Re: IE Shell URI Download and 
> Execute, POC
> 
> > Is the vulnerability mitigated by
> > today's Microsoft patch?
> 
> Both of POCs are working well (at least in my system -W2K3 
> all patches-)
> after recent MS patches.
> 
> Can anyone confirm this ?

I can not. Wscript was deactivated with Guninski's WSH bug
a long time ago. I just tested running wscript in the My
Computer zone. It prompts as an unsafe activex.

However, Microsoft needs to get on the ball here and secure
that zone or make it trivial for their customers to do so. (Kudos
for their link on their security page, but that kind of
thing is targetted to IT professionals -- not to the masses...
and they can figure that out by themselves already.)

I also noticed the shell: path url does work as a source in
an iframe.




> 
> 
> Ferruh.Mavituna
> http://ferruh.mavituna.com
> PGPKey : http://ferruh.mavituna.com/PGPKey.asc
> 
> > -----Original Message-----
> > From: full-disclosure-admin@xxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-
> > admin@xxxxxxxxxxxxxxxx] On Behalf Of L33tPrincess
> > Sent: Wednesday, July 14, 2004 5:34 AM
> > To: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxx
> > Subject: [Full-Disclosure] Re: IE Shell URI Download and 
> Execute, POC
> > 
> > Ferruh,
> > Is this a new variant (wscript.shell)?  Is the 
> vulnerability mitigated by
> > today's Microsoft patch?
> > 
> > 
> > 
> > Hello;
> > 
> > Code is based on 
> http://www.securityfocus.com/archive/1/367878 (POC by
> > Jelmer) message. I just added a new feature "download" and 
> then execute
> > application. Also I use Wscript.Shell in Javascript instead of
> > Shell.Application.
> > 
> > ________________________________
> > 
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail
> > 
> <http://us.rd.yahoo.com/mail_us/taglines/100/*http://promotion
> s.yahoo.com/
> > new_mail/static/efficiency.html>  - 100MB free storage!
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] RE: Unchecked buffer in mstask.dll
Next by Date: RE: [Full-Disclosure] Re: IE Shell URI Download and Execute, POC
Previous by thread: RE: [Full-Disclosure] Re: IE Shell URI Download and Execute, POC
Next by thread: RE: [Full-Disclosure] Re: IE Shell URI Download and Execute, POC
Index(es):
- Date
- Thread