Full Disclosure: RE: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

RE: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2

From: Aviv Raff <avivra () 012 net il>
Date: Sat, 25 Dec 2004 14:46:53 +0200

Hi,
 
Somehow the POC does not work on both of my WinXPSP2 pro boxes.
Both are fully patched, but one is hardened and the other is after a clean
install.
 
After running the POC, the IE opens the Help window, but then freezes for a
couple of minutes. 
After IE stops freezing, there is no Microsoft Office.hta on the startup
folder.
 
And yes, I'm running this on an Administrator account.
 
Can anyone else confirm this?
 
-- Aviv Raff

From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the 'open

source' zealots in the morning?".
 
 


  _____  

From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Michael
Evanchik
Sent: Friday, December 24, 2004 6:11 PM
To: full-disclosure () lists netsys com; bugtraq () securityfocus com;
NTBUGTRAQ () LISTSERV NTBUGTRAQ COM; vuln () vulnwatch org
Subject: [Full-disclosure] YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2



http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm

Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise

Dec, 21 2004

Vulnerable
----------
- Microsoft Internet Explorer 6.0
- Microsoft Windows XP Pro SP2
- Microsoft Windows XP Home SP2

Not Tested
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x
- Microsoft Windows 2003 Server

Severity
---------
Critical - Remote code execution, no user intervention

Proof of Concept?
------------------
- http://freehost07.websamba.com/greyhats/sp2rc.htm

- If an error is shown, press OK. This is normal.

- Notice in your startup menu a new file called Microsoft Office.hta. When
run, this file will download and launch a harmless executable (which
includes a pretty neat fire animation) 

 

Michael Evanchik

Relationship1

p: 914-921-4400

f:  914-921-6007

mailto:mevanchik () relationship1 com

web: http://www.relationship1.com

 

 

############################################################################
#########
This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro
Interscan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

YEY AGAIN Automatic remote compromise of Internet Explorer Service Pack 2 XP SP2 Michael Evanchik (Dec 24)
- RE: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 Aviv Raff (Dec 25)
  - RE: YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2 Michael Evanchik (Dec 28)
- Re: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 morning_wood (Dec 27)