[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2

To: full-disclosure@xxxxxxxxxxxxxxxx, "'Michael Evanchik'" <mevanchik@xxxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2
From: Aviv Raff <avivra@xxxxxxxxxx>
Date: Sat, 25 Dec 2004 14:46:53 +0200

Hi,
 
Somehow the POC does not work on both of my WinXPSP2 pro boxes.
Both are fully patched, but one is hardened and the other is after a clean
install.
 
After running the POC, the IE opens the Help window, but then freezes for a
couple of minutes. 
After IE stops freezing, there is no Microsoft Office.hta on the startup
folder.
 
And yes, I'm running this on an Administrator account.
 
Can anyone else confirm this?
 
-- Aviv Raff
>From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the 'open
source' zealots in the morning?".
 
 


  _____  

From: full-disclosure-bounces@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxx] On Behalf Of Michael
Evanchik
Sent: Friday, December 24, 2004 6:11 PM
To: full-disclosure@xxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx;
NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx; vuln@xxxxxxxxxxxxx
Subject: [Full-Disclosure] YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2



http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm

Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise

Dec, 21 2004

Vulnerable
----------
- Microsoft Internet Explorer 6.0
- Microsoft Windows XP Pro SP2
- Microsoft Windows XP Home SP2

Not Tested
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x
- Microsoft Windows 2003 Server

Severity
---------
Critical - Remote code execution, no user intervention

Proof of Concept?
------------------
- http://freehost07.websamba.com/greyhats/sp2rc.htm

- If an error is shown, press OK. This is normal.

- Notice in your startup menu a new file called Microsoft Office.hta. When
run, this file will download and launch a harmless executable (which
includes a pretty neat fire animation) 

 

Michael Evanchik

Relationship1

p: 914-921-4400

f:  914-921-6007

mailto:mevanchik@xxxxxxxxxxxxxxxxx

web: http://www.relationship1.com

 

 

############################################################################
#########
This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro
Interscan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2
  - From: Michael Evanchik

References:
- [Full-Disclosure] YEY AGAIN Automatic remote compromise of Internet Explorer Service Pack 2 XP SP2
  - From: Michael Evanchik

Prev by Date: [Full-Disclosure] iotrace 1.3, an userspace read()/write() logger daemon for linux, osf1, openbsd, freebsd
Next by Date: RE: [inbox] Re: [Full-Disclosure] This sums up Yahoo!s security policy to a -T-
Previous by thread: [Full-Disclosure] YEY AGAIN Automatic remote compromise of Internet Explorer Service Pack 2 XP SP2
Next by thread: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2
Index(es):
- Date
- Thread