Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: What about M$ in the shell: race
From: daniel uriah clemens <daniel_clemens () autism birmingham-infragard org>
Date: Fri, 9 Jul 2004 11:33:49 +0000 (GMT)



Josh,

This is no way a shaming email,but hopefully a playful question in hopes
to find out what might be miscommunicated as a reader on multiple security
mailing lists.

snip from your website>

I think the research over the past couple days proves that M$ just isn't
cutting it these days with their security response to vulnerabilities.
Wasn't it just the other day whn Bill Gates said that they have 1000's of
consultants ready to patch systems and it STILL takes them weeks to patch
a simple hole. I understand that M$ has to deal with the underlying OS but
with that many people shouldn't they turn patches out a little faster?
I mean, come on.. I worked with the Mozilla guys and was REALLY impressed
with the turn-around on the patch. It's wasn't real elaborate to correct
the issue but it was done in a matter of hours.

The shell: issue is all over Full-disclosure and slashdot but I have yet
to see a public response from M$ on the issue.

I hope this helps Mozilla gain some market share because it's where
browsing and security models should move in the future in my opinion-

----------end Rant---------------

M$ IE6 shell: vuln tested on fully patched XP SP1 box in VWmare lab

shell:windows\system32\calc.exe
shell:windows\system32\cmd.exe
shell:windows\system32\winver.exe
shell:windows\system32\accwiz.exe

shell:windows\system32\narrator.exe <- This is my favorite one :) This
will freak someone out when the PC talks to them.

I guess the good side to this is that IS asks the user to open the file /
save is clicked from an anchor but not when using the shell command.
test <- this calls cmd.exe using an anchor tag



I understand the disclosure process but what can you do if they don't
respond. This isn't a canned script kiddie exploit it's research. And that
should be available to anyone that is interested.

--------------

I got 99 problems but Mozilla isn't one :)

unsnip....

What reasearch did you perform to find this hole or did you simply repeat
what 'liu die yu' posted to full disclosure earlier this week.

http://umbrella.name/originalvuln/mozilla/ShellNethood/mozilla_shellnethood_rc.txt

Just for clarification's sake did you find this vulnerability through
extensive research or did you repost someone elses vulnerability to every
mailing list in the world and then posted that the media picked up on it
also.


If it was research , what methodical approach did you take to
find this vulnerability so we can all share in the fun of bugtracking or
was this research in the stance that you are evaluating the existence of a
current bug already disclosed within your lab.

What it sounds like what you have been saying the past few day is simply -
' this bug exists, I confirmed it exists, and I have repeated the work of
another and this bug is fairly huge', but I can see how others could
misinterpret this to say that you where the original bug-tracker.


snip>
I understand the disclosure process but what can you do if they don't
respond. This isn't a canned script kiddie exploit it's research. And that
should be available to anyone that is interested.
snip>

I am must trying to clarify whether or not you said this was research on
your part to discover the bug, OR to simply test for the bug's existence
from what was posted from Liu Die Yu earlier this week.

http://www.packetfocus.com/shell_exploit.htm

IE will execute the shell: command locally but prompts the user to open /
save the file if used with an anchor.
But what is this was used with another IE exploit that may not have system
privs but ran shell: locally-

wouldn't that have system privs then or would that run under the browser?

Interesting so far-

Hopefully this will help the effort to promote open source standards to move
away from M$ web monopoly.
Until then I will just uses BBS's-- hehehehehehe

Anyone up for a good game of Tradewars ;)

Once again I am merely trying to clarify allot of what you have been
posting the last few days.

Thanks,
-Daniel Uriah Clemens
Esse quam videra
                (to be, rather than to appear)
                     -Moments of Sorrow are Moments of Sobriety
                      { o)2059686335             c)2055676850 }



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]