Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17407
HistoryJul 04, 2007 - 12:00 a.m.

Two Unpublished IE Cases

2007-07-0400:00:00
vulners.com
16
JSON

I'd like to publish two IE cases that I know about. Although it's too
late. These two cases have already been patched. Just want to get them
on the record here. Many complained that IE7's new features
roadblocked hacking into this app. Well, those features are like any
other Microsoft's public documents on infosec, they are just sales
pitch.

Talked the talk. Now walk the walk. Both are drag-and-drop remote code
execution. One executes code on reboot. The other runs instantly on
drag-and-drop. Cover up is done using the genius idea by "mikx" from
DE, making the operation look normal on screen. Standard Javascript
features.

The key is drag source and drop destination. Here are two cases:

DRAG SRC:
Local page's IFRAME pointing to ftp-or-smb folder containing payload file
(HTTP Redirection to res-protocol page containing IFRAME tag)
DROP DST:
SHELL:STARTUP or:
\\127.0.0.1\c$\Documents and Settings\Administrator\Start Menu\Programs\Startup

DRAG SRC:
Any draggable file
("Favorites" control)
DROP DST:
Shortcut file pointing to "C:\WINDOWS\SYSTEM32\mshta.exe" command with
parameters
(On contrary, shortcut file pointing to remote executable will issue a
confirmation dialog)

REFERENCE:

Previously published cases on this topic:

mikx
http://mikx.de/index.php?p=1

Andreas Sandblad and Michael Krax, "Independently"
http://secunia.com/advisories/11165/

JSON