Re: HijackClick 3
From: Thor Larholm (tlarholm_at_PIVX.COM)
Date: Tue, 13 Jul 2004 11:04:01 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> From: Drew Copley
> In fact, I don't think there has been a bug in about ten
> months (coincidentally) that does not rely on either Jelmer's
> adodb bug or your shell.application bug.
I'm sorry, but did everybody suddenly forget about codeBase command
execution? Use a non-existant GUID for your OBJECT's classid and point
the codeBase attribute to the executable you want launched.
You should know about codeBase, seeing as you posted about it under the
handle "the Pull" back in 2002.
Well technically, you also posted about it in 200 and gave proper credit
codeBase has been the basis of most IE exploits before we started using
AD+ODB or Sh+ell (obfuscation inline to accommodate lame content
filtering), and GreyMagic repeatedly expanded on it to execute without
The codeBase attribute allows command execution from the My Computer
zone and you can mitigate against it by either completely disabling
ActiveX in that zone or setting it to only allow administrator approved
ActiveX controls. The latter will solve the functionality regression
problem that e.g. MMC and Norton Antivirus will have since both of these
rely on executional privileges given by the My Computer zone. This is
also the approach we took in Qwik-Fix ( http://qwik-fix.net/ ).
You can circumvent the initial restrictions on codebase through a series
> Microsoft can remove the threat from all users right now, today,
> and issue a fix. We won't see criminals using these things
> to grab people's money tommorrow. We won't see hundreds of articles
> critical of their browser. We won't see devious, targetted
> attacks on bank employees or anyone else.
Microsoft could blacklist the Sh+ell.App+lication object and still be no
better off. They could fix codeBase and I am sure we would find new
vulnerabilities in IE. The problem is the attempt to separate
executional privileges for mobile code based on its origin, the only
zones IE should have should be the Internet Zone and Restricted Sites
zone. Any privileges that you could ever need in the My Computer zone
can safely be used from an HTML Application by embedding MSHTA instead
Senior Security Researcher
23 Corporate Plaza #280
Newport Beach, CA 92660
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9
PivX defines a new genre in Desktop Security: Proactive Threat
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.