Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: YEY AGAIN Automatic remotecompromiseofInternetExplorer Service Pack 2 XP SP2
From: "Michael Evanchik" <mevanchik () relationship1 com>
Date: Mon, 27 Dec 2004 11:57:24 -0500

works on around 30 people i know so far.  Some it doesnt,  You have to be
admin, also view the source code you have to have the local html file in
c:\windows\pchealth\helpctr\  ect   specified

Another could have been used
  -----Original Message-----
  From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com]On Behalf Of Ron Jackson
  Sent: Sunday, December 26, 2004 11:14 AM
  To: full-disclosure () lists netsys com
  Subject: RE: [Full-disclosure] YEY AGAIN Automatic
remotecompromiseofInternetExplorer Service Pack 2 XP SP2


  Hmm,

     Popped up a help window with a few lines of text in it.but that was it.
No files in startup.  Winxpsp2 fully patched, Sygate personal firewall,
Adaware SE professional.




----------------------------------------------------------------------------
--

  From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Michael
Evanchik
  Sent: Sunday, December 26, 2004 12:07 AM
  To: Aviv Raff; full-disclosure () lists netsys com
  Subject: RE: [Full-disclosure] YEY AGAIN Automatic remote
compromiseofInternetExplorer Service Pack 2 XP SP2



  try www.michaelevanchik.com/security/microsoft/ie/xss/index.html



  might be a little more reliable PoC



  1) new not known by AVP codes

  2) uses all start up menue languages

















    -----Original Message-----
    From: Michael Evanchik [mailto:mevanchik () relationship1 com]
    Sent: Saturday, December 25, 2004 9:11 PM
    To: Aviv Raff; full-disclosure () lists netsys com
    Subject: RE: [Full-disclosure] YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2

    Hi Aviv,



    Not sure what your issue is.  This has been tested on many people, and
it works on everyone.  Maybe its your pop up blocker?  Maybe its your AVP?



    This exploit is on Securityfocus and k-otik as they tested as well.
Http equiv verified before any post was made to FD.



    In either case we did not code around pop up blockers nor around known
virus strings.  This PoC is not for blackhats kiddies.



    Mike





    www.michaelevanchik.com



      -----Original Message-----
      From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com]On Behalf Of Aviv Raff
      Sent: Saturday, December 25, 2004 7:47 AM
      To: full-disclosure () lists netsys com; 'Michael Evanchik'
      Subject: RE: [Full-disclosure] YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2

      Hi,



      Somehow the POC does not work on both of my WinXPSP2 pro boxes.

      Both are fully patched, but one is hardened and the other is after a
clean install.



      After running the POC, the IE opens the Help window, but then freezes
for a couple of minutes.

      After IE stops freezing, there is no Microsoft Office.hta on the
startup folder.



      And yes, I'm running this on an Administrator account.



      Can anyone else confirm this?



      -- Aviv Raff
      >From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the
'open source' zealots in the morning?".








--------------------------------------------------------------------------

      From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Michael
Evanchik
      Sent: Friday, December 24, 2004 6:11 PM
      To: full-disclosure () lists netsys com; bugtraq () securityfocus com;
NTBUGTRAQ () LISTSERV NTBUGTRAQ COM; vuln () vulnwatch org
      Subject: [Full-disclosure] YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2



      http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm





      Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise

      Dec, 21 2004

      Vulnerable
      ----------
      - Microsoft Internet Explorer 6.0
      - Microsoft Windows XP Pro SP2
      - Microsoft Windows XP Home SP2

      Not Tested
      ------------------------
      - Microsoft Windows 98
      - Microsoft Internet Explorer 5.x
      - Microsoft Windows 2003 Server



      Severity
      ---------
      Critical - Remote code execution, no user intervention

      Proof of Concept?
      ------------------
      - http://freehost07.websamba.com/greyhats/sp2rc.htm

      - If an error is shown, press OK. This is normal.

      - Notice in your startup menu a new file called Microsoft Office.hta.
When run, this file will download and launch a harmless executable (which
includes a pretty neat fire animation)







      Michael Evanchik

      Relationship1

      p: 914-921-4400

      f:  914-921-6007

      mailto:mevanchik () relationship1 com

      web: http://www.relationship1.com






############################################################################
#########
            This Mail Was Scanned by 012.net Anti Virus Service - Powered by
TrendMicro Interscan



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]