Re: HijackClick 3

From: Thor Larholm (tlarholm_at_PIVX.COM)
Date: 07/13/04

  • Next message: Russ Cooper: "MinorRev: Microsoft Security Bulletin MS04-024 - Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)"
    Date:         Tue, 13 Jul 2004 11:04:01 -0700

    > From: Drew Copley
    > In fact, I don't think there has been a bug in about ten
    > months (coincidentally) that does not rely on either Jelmer's
    > adodb bug or your shell.application bug.

    I'm sorry, but did everybody suddenly forget about codeBase command
    execution? Use a non-existant GUID for your OBJECT's classid and point
    the codeBase attribute to the executable you want launched.

    You should know about codeBase, seeing as you posted about it under the
    handle "the Pull" back in 2002.

    Well technically, you also posted about it in 200 and gave proper credit
    to Dildog.

    codeBase has been the basis of most IE exploits before we started using
    AD+ODB or Sh+ell (obfuscation inline to accommodate lame content
    filtering), and GreyMagic repeatedly expanded on it to execute without

    The codeBase attribute allows command execution from the My Computer
    zone and you can mitigate against it by either completely disabling
    ActiveX in that zone or setting it to only allow administrator approved
    ActiveX controls. The latter will solve the functionality regression
    problem that e.g. MMC and Norton Antivirus will have since both of these
    rely on executional privileges given by the My Computer zone. This is
    also the approach we took in Qwik-Fix ( ).

    You can circumvent the initial restrictions on codebase through a series
    of Refresh's.

    > Microsoft can remove the threat from all users right now, today,
    > and issue a fix. We won't see criminals using these things
    > to grab people's money tommorrow. We won't see hundreds of articles
    > critical of their browser. We won't see devious, targetted
    > attacks on bank employees or anyone else.

    Microsoft could blacklist the Sh+ell.App+lication object and still be no
    better off. They could fix codeBase and I am sure we would find new
    vulnerabilities in IE. The problem is the attempt to separate
    executional privileges for mobile code based on its origin, the only
    zones IE should have should be the Internet Zone and Restricted Sites
    zone. Any privileges that you could ever need in the My Computer zone
    can safely be used from an HTML Application by embedding MSHTA instead
    of IEXPLORE.


    Thor Larholm
    Senior Security Researcher
    PivX Solutions
    23 Corporate Plaza #280
    Newport Beach, CA 92660
    Stock symbol: (PIVX.OB)
    Phone: +1 (949) 231-8496
    PGP: 0x4207AEE9
    B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9

    PivX defines a new genre in Desktop Security: Proactive Threat

    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: Russ Cooper: "MinorRev: Microsoft Security Bulletin MS04-024 - Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)"