RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2

From: Michael Evanchik (mevanchik_at_relationship1.com)
Date: 12/26/04

  • Next message: Bruno Wolff III: "[Full-Disclosure] Re: Again: zone transfers, a spammer's dream?" 
    To: "Aviv Raff" <avivra@012.net.il>, <full-disclosure@lists.netsys.com>
Date: Sat, 25 Dec 2004 21:11:20 -0500

    Hi Aviv,

    Not sure what your issue is. This has been tested on many people, and it
    works on everyone. Maybe its your pop up blocker? Maybe its your AVP?

    This exploit is on Securityfocus and k-otik as they tested as well. Http
    equiv verified before any post was made to FD.

    In either case we did not code around pop up blockers nor around known virus
    strings. This PoC is not for blackhats kiddies.

    Mike

    www.michaelevanchik.com

      -----Original Message-----
      From: full-disclosure-bounces@lists.netsys.com
    [mailto:full-disclosure-bounces@lists.netsys.com]On Behalf Of Aviv Raff
      Sent: Saturday, December 25, 2004 7:47 AM
      To: full-disclosure@lists.netsys.com; 'Michael Evanchik'
      Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise
    ofInternetExplorer Service Pack 2 XP SP2

      Hi,

      Somehow the POC does not work on both of my WinXPSP2 pro boxes.
      Both are fully patched, but one is hardened and the other is after a clean
    install.

      After running the POC, the IE opens the Help window, but then freezes for
    a couple of minutes.
      After IE stops freezing, there is no Microsoft Office.hta on the startup
    folder.

      And yes, I'm running this on an Administrator account.

      Can anyone else confirm this?

      -- Aviv Raff
      From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the 'open
    source' zealots in the morning?".

    ---------------------------------------------------------------------------- 

    --
  From: full-disclosure-bounces@lists.netsys.com
[mailto:full-disclosure-bounces@lists.netsys.com] On Behalf Of Michael
Evanchik
  Sent: Friday, December 24, 2004 6:11 PM
  To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; vuln@vulnwatch.org
  Subject: [Full-Disclosure] YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2
  http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm
  Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise
  Dec, 21 2004
  Vulnerable
  ----------
  - Microsoft Internet Explorer 6.0
  - Microsoft Windows XP Pro SP2
  - Microsoft Windows XP Home SP2
  Not Tested
  ------------------------
  - Microsoft Windows 98
  - Microsoft Internet Explorer 5.x
  - Microsoft Windows 2003 Server
  Severity
  ---------
  Critical - Remote code execution, no user intervention
  Proof of Concept?
  ------------------
  - http://freehost07.websamba.com/greyhats/sp2rc.htm
  - If an error is shown, press OK. This is normal.
  - Notice in your startup menu a new file called Microsoft Office.hta. When
run, this file will download and launch a harmless executable (which
includes a pretty neat fire animation)
  Michael Evanchik
  Relationship1
  p: 914-921-4400
  f:  914-921-6007
  mailto:mevanchik@relationship1.com
  web: http://www.relationship1.com
############################################################################
#########
        This Mail Was Scanned by 012.net Anti Virus Service - Powered by
TrendMicro Interscan

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Bruno Wolff III: "[Full-Disclosure] Re: Again: zone transfers, a spammer's dream?"

    Relevant Pages

    • Critical Microsoft Security Bulletin - MS04-004
      ... - Microsoft Windows NTŪ Workstation 4.0 Service Pack 6a ... - Internet Explorer 6 for Windows Server 2003 ... IMPACT OF VULNERABILITY: Remote Code Execution ...
      (microsoft.public.windows.mediacenter)
    • Neue SIcherheitsbulletins und Patches
      ... Critical MS06-057 Microsoft Windows Remote Code Execution ... Critical MS06-058 Microsoft Office Remote Code Execution ... Critical MS06-061 Microsoft Windows or Office Remote Code Execution ... Impact of Vulnerability: Information Disclosure ...
      (microsoft.public.de.german.visio)
    • Re: !!Windows Is Infected!!
      ... trying to sell you patches that Microsoft provides free-of-charge. ... Messenger Service of Windows ... belive its a fake microsoft site the patch links on the ... Microsoft Windows NT Workstation ...
      (microsoft.public.windowsxp.general)
    • Re: Changing Font Color
      ... > The system idle process was operating at 99%. ... > installation (first by direct download, then by CD with no Virus Detection ... > If Microsoft had correctly written the Windows XP and Outlook Express ... > This vulnerability affects the following Microsoft Windows operating ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • DHS/FedCIRC Advisory FA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange
      ... There are multiple vulnerabilities in Microsoft Windows and Microsoft ... execute arbitrary code. ... For detailed information, see the following vulnerability ...
      (microsoft.public.security.virus)