Lucene search
K

ieBad.txt

🗓️ 31 Mar 2004 00:00:00Reported by malware.comType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

Internet Explorer bug allows remote compromise via webpages, remains unpatched for six weeks.

Code
`  
  
Wednesday, March 31, 2004  
  
This is somewhat disconcerting. Reference the recently disclosed   
Internet Explorer 'bug' presently in the wild [original   
discussion: http://www.securityfocus.com/archive/1/358813 with   
additional input buried thereunder in subsequent threads]   
allowing for complete remote compromise of the client machine   
without any user interaction other than viewing a webpage,   
through yet again, the Microsoft Internet Explorer browser.   
  
A lot of 'chatter' or very bold claims 'having been the first to   
see this and analyse it' seem to have appeared recently that   
would make this particular bug well known for at least 6 weeks   
now. We must assume that these claimants had immediately   
notified the manufacturer of this particular device that allows   
for all of this immediately back then. Accordingly 6 weeks have   
transpired and to date all users of this particular merchant's   
product remain vulnerable.  
  
It still remains "unpatched".   
  
Perhaps to speed things up, the introduction of the Outlook   
Express email client from the same merchant might be necessary:  
  
Commence:  
  
Outlook Express number 6 has fairly stringent security settings   
in default mode, most notable, setting all actions in the so-  
called 'restricted zone'. This disallows such things as frames,   
scripting, objects etc.   
  
However it does allow from one interesting piece of html  
  
Forms:  
  
<A  
href="http://www.microsoft.com">  
<FORM action=http://www.malware.com/t-bill.html method=get>  
<INPUT style="BORDER-RIGHT: 0pt;  
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR:   
hand; COLOR:  
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;  
TEXT-DECORATION: underline" type=submit   
value=http://www.microsoft.com>  
</A>  
  
What is of particular interest is that if we encase our html   
form with a run-of-the-mill 'link', we are able to spoof in our   
status bar our true destination:  
  
[screen shot: http://www.malware.com/not-good.png 24KB]  
  
as well as re-style our form to suit our needs.  
  
What we then do is construct our original functional demo to:  
  
a) redirect immediately on loading to the 'suggested' address;   
that is http://www.microsoft.com  
b) at that instance [prior], drop our malware.exe into our   
startup folder for execution the next day  
  
while the recipient is blissfully unaware viewing the site as   
indicated.  
  
Fully Functional Harmless Demo:  
  
http://www.malware.com/not-so-good.zip  
  
note: regardless of where this is viewed, it is governed by   
the 'restricted zone' at all times  
  
In this particular demo, we drop malware.exe into C: trivial   
tweaking via shell or full path places it wherever we like. This   
fully functional demo is heavily diluted. Practical   
implementation requires minor modifications on the   
transmitting client side. This demo will be flagged by AV suites   
owing to past usage and recognisable code.  
  
  
End Call  
  
  
--   
http://www.malware.com  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation