SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
(Vendor Issues Fix) Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
SecurityTracker Alert ID:  1011638
SecurityTracker URL:  http://securitytracker.com/id/1011638
CVE Reference:   CAN-2004-0839, CAN-2004-0841   (Links to External Site)
Date:  Oct 12 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.01, 5.5, 6
Description:   A vulnerability was reported in Microsoft Internet Explorer in popup.show(). A remote user can take arbitrary mouse-based actions on the target system.

Paul from GreyHats Security Group reported that a remote user can create HTML that uses the popup.show() function with the 'on mousedown' event to take mouse-based actions on the target user's system [CVE: CAN-2004-0841].

A demonstration exploit is available at:

http://freehost07.websamba.com/greyhats/hijackclick3.htm

http-equiv subsequently reported that this vulnerable function can be used in conjunction with the previously reported "shell://" vulnerability to execute arbitrary code on the target user's system.

Some demonstration exploit code is provided:

<img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>

location="shell:favorites\\greyhat[1].htm"

A demonstration exploit is available at:

http://www.malware.com/paul.html

On August 18, 2004, http-equiv provided an additional exploit example [CVE: CAN-2004-0839], available at:

http://www.malware.com/wottapoop.html

When this exploit example is followed, an executable file will be placed in your Windows Startup folder. Some user interaction is required in the example, but comments in the code note that it may be possible to automate the exploit.
Impact:   A remote user can create HTML that will execute mouse-click actions on the target user's computer.
Solution:   The vendor has issued a fix.

Internet Explorer 5.01 Service Pack 3 on Windows 2000 SP3:

http://www.microsoft.com/downloads/details.aspx?FamilyId=2D8E8E97-4946-4994-924B-1FB1DC1881BA&displaylang=en


Internet Explorer 5.01 Service Pack 4 on Windows 2000 SP4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=72DBE239-AF0A-42B5-B88C-A00371F6EC81&displaylang=en


Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Me:

http://www.microsoft.com/downloads/details.aspx?FamilyId=BE27F77C-3C2D-45F1-86DF-2B71799DA169&displaylang=en


Internet Explorer 6 on Windows XP:

http://www.microsoft.com/downloads/details.aspx?FamilyId=A89CFBE8-C299-415D-A9D6-7CC6429C547D&displaylang=en


Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, on Microsoft Windows XP, or on Microsoft Windows XP Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=7C1404E6-F5D4-4FED-9573-DD83F2DFF074&displaylang=en


Internet Explorer 6 Service Pack 1 on Microsoft Windows NT Server 4.0 Service Pack 6a, on Microsoft Windows NT Server 4.0 Terminal Service Edition Service Pack 6, on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Me:

http://www.microsoft.com/downloads/details.aspx?FamilyId=DE8D94C4-7F58-4CE7-B8BD-51CFD795B03E&displaylang=en


Internet Explorer 6 for Windows XP Service Pack 1 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=C05103E8-4402-4D54-BA03-FBBC24142E4D&displaylang=en


Internet Explorer 6 for Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=19E69E5F-9C98-49AD-A61F-4F82A4014412&displaylang=en


Internet Explorer 6 for Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=566C2A05-2513-4E30-A3EA-87D4BF7F9730&displaylang=en


Internet Explorer 6 for Windows XP Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=CF47B515-3F51-43E1-9246-2C2264C49E2E&displaylang=en

These patches require a system restart.
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms04-038.mspx (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 12 2004 Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions


 Source Message Contents
Date:  Tue, 12 Oct 2004 15:04:56 -0400
Subject:  http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx



MS04-038

http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC