Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

Re: Windows .ANI LoadAniIcon Stack Overflow
From: Alexander Sotirov <asotirov () determina com>
Date: Mon, 02 Apr 2007 19:13:45 -0700
George Ou wrote:

The exploited instance of IE7 probably spawns cmd.exe with the same
privilege levels as IE7 in Protected Mode, which means you don't have
read/write access to the user or system files.  It's still bad because you
probably get to harvest all of the saved username/passwords in the browser
and capture all input/output from that IE session.

Now in the case of an exploited Firefox 2, you have full read/write
permissions to all of the user files which means you get to steal all the
user files and/or encrypt them for ransom.


Protected Mode only blocks write access. IE can write only to a few locations on
the system, but it still has full read access to all files readable by the user.

See http://msdn.microsoft.com/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp
and slides 41-53 in
http://download.microsoft.com/download/0/1/3/01381C25-72DA-4AA9-B792-43E02A243C71/SEC403_Riley.ppt

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]