[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] YEY AGAIN Automatic remote compromiseofInternetExplorer Service Pack 2 XP SP2

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromiseofInternetExplorer Service Pack 2 XP SP2
From: "Ron Jackson" <Ronald_Jackson@xxxxxxxxxxx>
Date: Sun, 26 Dec 2004 11:14:19 -0500

Hmm,

   Popped up a help window with a few lines of text in it.but that was it.
No files in startup.  Winxpsp2 fully patched, Sygate personal firewall,
Adaware SE professional.

 

  _____  

From: full-disclosure-bounces@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxx] On Behalf Of Michael
Evanchik
Sent: Sunday, December 26, 2004 12:07 AM
To: Aviv Raff; full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote
compromiseofInternetExplorer Service Pack 2 XP SP2

 

try www.michaelevanchik.com/security/microsoft/ie/xss/index.html

 

might be a little more reliable PoC

 

1) new not known by AVP codes

2) uses all start up menue languages

 

 

 

 

 

 

 

 

-----Original Message-----
From: Michael Evanchik [mailto:mevanchik@xxxxxxxxxxxxxxxxx]
Sent: Saturday, December 25, 2004 9:11 PM
To: Aviv Raff; full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2

Hi Aviv,

 

Not sure what your issue is.  This has been tested on many people, and it
works on everyone.  Maybe its your pop up blocker?  Maybe its your AVP?  

 

This exploit is on Securityfocus and k-otik as they tested as well.  Http
equiv verified before any post was made to FD.

 

In either case we did not code around pop up blockers nor around known virus
strings.  This PoC is not for blackhats kiddies.

 

Mike

 

 

www.michaelevanchik.com

 

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxx]On Behalf Of Aviv Raff
Sent: Saturday, December 25, 2004 7:47 AM
To: full-disclosure@xxxxxxxxxxxxxxxx; 'Michael Evanchik'
Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2

Hi,

 

Somehow the POC does not work on both of my WinXPSP2 pro boxes.

Both are fully patched, but one is hardened and the other is after a clean
install.

 

After running the POC, the IE opens the Help window, but then freezes for a
couple of minutes. 

After IE stops freezing, there is no Microsoft Office.hta on the startup
folder.

 

And yes, I'm running this on an Administrator account.

 

Can anyone else confirm this?

 

-- Aviv Raff
>From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the 'open
source' zealots in the morning?".

 

 

 


  _____  


From: full-disclosure-bounces@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxx] On Behalf Of Michael
Evanchik
Sent: Friday, December 24, 2004 6:11 PM
To: full-disclosure@xxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx;
NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx; vuln@xxxxxxxxxxxxx
Subject: [Full-Disclosure] YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2

 

http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm

 

 

Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise

Dec, 21 2004

Vulnerable
----------
- Microsoft Internet Explorer 6.0
- Microsoft Windows XP Pro SP2
- Microsoft Windows XP Home SP2

Not Tested
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x
- Microsoft Windows 2003 Server

 

Severity
---------
Critical - Remote code execution, no user intervention

Proof of Concept?
------------------
- http://freehost07.websamba.com/greyhats/sp2rc.htm

- If an error is shown, press OK. This is normal.

- Notice in your startup menu a new file called Microsoft Office.hta. When
run, this file will download and launch a harmless executable (which
includes a pretty neat fire animation) 

 

 

 

Michael Evanchik

Relationship1

p: 914-921-4400

f:  914-921-6007

mailto:mevanchik@xxxxxxxxxxxxxxxxx

web: http://www.relationship1.com

 

 


############################################################################
#########
This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro
Interscan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] YEY AGAIN Automatic remotecompromiseofInternetExplorer Service Pack 2 XP SP2
  - From: Michael Evanchik

Prev by Date: [Full-Disclosure] Animated Cursor Blue Screen?
Next by Date: [Full-Disclosure] WinHKI BH File Incorrect Filename Handeling Leads to 100 CPU%
Previous by thread: [Full-Disclosure] [ GLSA 200501-07 ] xine-lib: Multiple overflows
Next by thread: RE: [Full-Disclosure] YEY AGAIN Automatic remotecompromiseofInternetExplorer Service Pack 2 XP SP2
Index(es):
- Date
- Thread