[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Patched IE still executes code with ADODB patch
From:       David Nowak <dnowak () UDEL ! EDU>
Date:       2004-07-06 22:35:47
Message-ID: 200407062235.i66MZk2S001288 () copland ! udel ! edu
[Download RAW message or body]

Check out this German site that shows and example of IE Loading a command prompt \
doing a dir/p seemingly if IE Internet zone is set to almost anything less that HIGH.

(I was shown this by a German person and display the site using Google's translator)


This demo starts cmd.exe with the command "dir /p". Just as well it could delete \
however files. The demo is a variation  of an earlier , uses however \
Shell.Application instead of ADODB.Stream.


http://translate.google.com/translate?u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2Fdienste%2Fbrowserchec
 k%2Fdemos%2Fie%2Fe5_22.shtml&langpair=de%7Cen&hl=en&ie=UTF-8&safe=off&ie=UTF-8&oe=UTF-8&prev=%2Flang
 uage_tools


click on   Demo implement



It appears to still be a major security hole!
==============================================

FROM WEBPAGE:
==============

Demo: Start from programs via Shell.Application

The InterNet Explorer works with a zone model. Depending upon security zone Skripte \
have different rights. Due to errors in the IE however Skripte can obtain by devious \
means themselves the rights of higher zones again and again. The last Exploits used \
then mostly ADODB.Stream, in order to install files from the net. This prevented \
Microsoft by a change of configuration ( update). However safety gaps remain open, \
over which web pages can attain the rights of the zone "local computer". In this zone \
Skripte have access to the ActiveX object Shell and/or Shell.Application .

So far not clearly, whether it is possible thereby without interaction with the user \
is programs to install -- to arrange Cracker know damage however always. Thus it \
permits the method to ShellExecute , arbitrary, to start programs already installed. \
Over the command line interpreter cmd.exe could delete an aggressor for example all \
files.

Demo
This demo starts cmd.exe with the command "you/p". Just as well it could delete \
however files. The demo is a variation of an earlier , uses however Shell.Application \
instead of ADODB.Stream.

The demo functioned at present under Windows XP, for Windows 2000 would have to be \
adapted a path. If the demo functions, a window with one appears command lineprompt \
("DOS box"). If this window does not appear, the demo did not function.

Demo implement

Remedy:
So far us no Patch of Microsoft is well-known. In addition, switching off Active \
Scripting prevents the execution of the Exploits, ensures but that many web pages do \
not function any longer.

It can be that your anti-virus program discovers and to you offers, in the demo a \
virus, to prevent whose execution. This kind of protection does not function however \
reliably. Malicious sides work with coded Javascript. So many AV programs cannot \
discover suspicious operations any longer.

=======================================
David Nowak
CITA III Physics & Astronomy
222 Sharp Lab
Newark, DE  19716

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that \
just hitting reply is going to result in the message coming to the list, not to the \
individual who sent the message. This was done to help reduce the number of Out of \
Office messages posters received. So if you want to send a reply just to the poster, \
you'll have to copy their email address out of the message and place it in your TO: \
                field.
-----


[prev in list] [next in list] [prev in thread] [next in thread]