(Alternate Exploit is Available) Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
|
|
SecurityTracker Alert ID: 1010990 |
|
SecurityTracker URL: http://securitytracker.com/id/1010990
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 19 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 6; Tested on 6.0.2800.1106
|
Description:
A vulnerability was reported in Microsoft Internet Explorer in popup.show(). A remote user can take arbitrary mouse-based actions on the target system.
Paul from GreyHats Security Group reported that a remote user can create HTML that uses the popup.show() function with the 'on mousedown' event to take mouse-based actions on the target user's system.
A demonstration exploit is available at:
http://freehost07.websamba.com/greyhats/hijackclick3.htm
http-equiv subsequently reported that this vulnerable function can be used in conjunction with the previously reported "shell://" vulnerability to execute arbitrary code on the target user's system.
Some demonstration exploit code is provided:
<img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>
location="shell:favorites\\greyhat[1].htm"
A demonstration exploit is available at:
http://www.malware.com/paul.html
On August 18, 2004, http-equiv provided an additional exploit example, available at:
http://www.malware.com/wottapoop.html
When this exploit example is followed, an executable file will be placed in your Windows Startup folder. Some user interaction is required in the example, but comments in the code note that it may be possible to automate the exploit.
|
Impact:
A remote user can create HTML that will execute mouse-click actions on the target user's computer.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 18 Aug 2004 17:23:05 -0000
Subject: What A Drag II XP SP2
|
Internet Explorer supports a fantastic variety of "styles"
and "behaviors" amongst other 'unique capabilities'. A lovely
demonstration of that can be found here:
http://www.malware.com/wottapoop.html
--
http://www.malware.com
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the
message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office
messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the
message and place it in your TO: field.
-----
|
|
