Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: IE 5.x allows executing arbitrary programs using .chm files

IE 5.x allows executing arbitrary programs using .chm files

From: Georgi Guninski <joro_at_NAT.BG>
Date: Wed, 1 Mar 2000 17:32:06 +0200

Georgi Guninski security advisory #8, 2000

IE 5.x allows executing arbitrary programs using .chm files

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:
There is a vulnerability in IE 5.x for Win95/WinNT (probably others)
which allows executing arbitrary programs using .chm files. Microsoft
Networking must be installed.

Details:
The problem is the window.showHelp() method which opens .chm files. IE
disallows opening .chm files with the http protocol, but allows opening
if the .chm file resides on MS networking server or a local drive.
In this case the .chm file is opened even if it is on a remote host. In
turn .chm files may execute arbitrary programs using the "shortcut"
command.

Demonstration which starts Wordpad: http://www.nat.bg/~joro/chm3.html

Workaround: Disable Active Scripting.

Copyright Georgi Guninski

Regards,
Georgi Guninski
http://www.nat.bg/~joro
Received on Mar 01 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos