Next Page >>
Internet Explorer 7
Neat PoC. However, this requires the users to have configured IE to run
Active-X content. On my test machines, I was prompted by the Browser
before the code ran. Surprisingly, CSA never stopped it.
I tested this on:
Internet Explorer 7 on Windows XP 32-bit w/ Cisco Security Agent
v5.0.0.176
Internet Explorer 7 on Vista 32-bit (no CSA)
Thanks,
. Internet Explorer 5.01 SP4 on Windows 2000 sp4
. Internet Explorer 6sp1 on Windows 2000 sp4
. Internet Explorer 6sp2 on Windows XP sp2
. Internet Explorer 6sp2 on Windows XP sp3
. Internet Explorer 7 on Windows XP sp2
. Internet Explorer 7 on Windows XP sp3
. Internet Explorer 7 on Windows Vista sp1
. Internet Explorer 7 on Windows Vista sp2
. Internet Explorer 7 on Windows Server 2003 sp2 if
Protected Mode is OFF and not using Enhanced Security Configuration
On 29 Sep 2008 19:59:55 -0000, UniquE@unique-key.org
<UniquE@unique-key.org> wrote:
> <!--
>
> MS Internet Explorer 7 Denial Of Service Exploit
>
> Type :
>
> Denial Of Service
>
<!--
MS Internet Explorer 7 Denial Of Service Exploit
Type :
Denial Of Service
Release Date :
*Vulnerable Packages*
. Internet Explorer 5 under Windows 2000/2003/XP
. Internet Explorer 6 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows Vista (when protected mode is turned
off)
*Non-vulnerable Packages*
browsers (http://websecurity.com.ua/2550/). In 2008 I wrote about many
blocking DoS vulnerabilities in browsers, and this year I continued to write
about such holes, and after this one I'd write about another one soon (which
I found last year). Like these DoS vulnerabilities in Firefox, IE, Chrome
and Opera (http://websecurity.com.ua/3194/). Or like DoS vulnerability in
Internet Explorer 7 (http://websecurity.com.ua/2872/), which is similar to
DoS vulnerabilities in Firefox, Opera and Chrome
(http://websecurity.com.ua/2456/), all of them are printing DoS attacks.
> This will ONLY work if FireFox does NOT know which program to use.
II. Description:
Three cross site scripting vulnerabilities were identified inside Google Notebook. A remote attacker can make a malformed block notes and invite, through the sharing option inside Google Notebook, other users to see it to obtain their cookie. User interaction is required to exploit all three vulnerabilies.
Browser affected: Firefox 3.
Browser not affected: Internet Explorer 7, Opera 9.5, Safari 3.
One cross site scripting vulnerability was identified inside Google Bookmarks. A remote attacker can make a malformed bookmark inside his account and then share it with other users to obtain their cookie. User interaction is required to exploit this vulnerability.
Browser affected: Mozilla Firefox 3, Internet Explorer 7, Opera 9.5, Safari 3
Telnet.exe
In a similar manner, if Internet Explorer (prior to IE7) loads a telnet
URL it will start the Telnet client using a relative path name. If an
executable named telnet.exe exists on the desktop, this executable will
be started instead of the real Telnet client. In Internet Explorer 7,
Microsoft disabled the use of telnet URLs (see also
http://msdn.microsoft.com/en-us/library/aa767741(VS.85).aspx).
<html><head><script type="text/javascript">
function startSploit()
*Background:*
Mshtml.dll is a standard library which is responsible for rendering
objects in web pages in Internet Explorer.
*Description:*
The Internet Explorer 7 is vulnerable to Denial of Service while
handling malicious
PNG files. The IE shows a intrinsic vulnerable response while loading
images.This
issue can be exploited by an attacker by letting a victim to visit a
malicious web page
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False
The POC was tested on Windows XP Pro SP3 w/ Internet Explorer 7 - All patched
Also Windows XP Pro SP2 w/ Internet Explorer 7
By the way, props go out to shinnai for his tool, Roadmap.
Major thanks go out to HD Moore and the Metasploit project/crew =) www.metasploit.com
Thanks sCORPINo =P www.snoop-security.com
:Title: Remote Denial of Service in Internet Explorer
:Severity: Moderate
:Reporter: Blue Moon Consulting
:Products: Internet Explorer 7 and 8
:Fixed in: --
Description
-----------
This vulnerability can be used to achieve remote code execution by
tricking the victim into opening an attacker-controlled web page. This
can be done by specifying a malformed .wma file as a webpage
background sound (bgsound tags) or by embedding windows media player
in a web page (embed tags). This attack works with multiple browsers
(tested on Internet Explorer 6, Internet Explorer 7 and Mozilla
Firefox 2 under Windows XP, other browsers and Windows version are
affected as well).
#####
#PoC#
IV. DETECTION
As of September 2008, iDefense confirms that Internet Explorer 5.01 on
Windows 2000 SP4, is vulnerable. It also causes denial of service for
Internet Explorer 6 on Windows XP SP2. Internet Explorer 7 is not
affected.
V. WORKAROUND
iDefense is not aware of any effective workaround for this issue.
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 7
Microsoft Internet Explorer 8
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9315.
III. AFFECTED PRODUCTS
---------------------------
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
On Windows 7, Windows 2008, Windows 2003, Windows Vista, and Windows XP
Exploitation of this vulnerability would allow an attacker to execute
arbitrary code in the context of the user running Internet Explorer. In
order to be successful, a targeted user must render a maliciously
crafted web page.
On Vista, Internet Explorer 7 runs in Protected Mode, which has less
privileges than a normal user. It somewhat mitigates the impact of this
vulnerability, but does not prevent arbitrary code execution.
IV. DETECTION
In order to exploit this vulnerability, an attacker must persuade a user
to render a malicious web page using Internet Explorer. This is usually
accomplished by providing a link to the malicious page in an e-mail or
instant message.
On Windows Vista, Internet Explorer 7 runs in "Protected Mode". Since
"Protected Mode" processes web pages with lower privileges than a
normal user, it lessens the impact of this vulnerability. However, it
does not prevent arbitrary code execution on the affected system.
IV. DETECTION
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 7
Microsoft Internet Explorer 8
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9429.
-- Affected Vendor:
Microsoft
-- Affected Products:
Internet Explorer 6
Internet Explorer 7
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 5822.
For further product information on the TippingPoint IPS:
-- Affected Vendor:
Microsoft
-- Affected Products:
Internet Explorer 6
Internet Explorer 7
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 5923.
For further product information on the TippingPoint IPS:
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 6
Microsoft Internet Explorer 7
Microsoft Internet Explorer 8
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8654.
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer 7 on the
Microsoft Vista operating system. User interaction is required to
exploit this vulnerability in that the target must visit a malicious
page.
The specific flaw exists during a WebDAV fetch of a document from a path
-------------------------
Affected products:
-------------------------
Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and
previous versions.
----------
Details:
----------
III. AFFECTED PRODUCTS
---------------------------
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180),
Internet Explorer 8 (8.0.7600.16385), Google Chrome 1.0.154.48 and Opera
9.52. At that in Opera the exploit don't open email client, so DoS attack is
going without blocking, only resources consumption (more slowly then in
other browsers). And also this exploit must work in SeaMonkey, Internet
Explorer 7 and other browsers.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
IE7 Transfer-Encoding: chunked allows Request Splitting/Smuggling.
Date: March 21th, 2008
Tested Versions:
Internet Explorer 7.0.5730.11
Tested OS:
Windows XP Professional SP2 Italian
Minded Security ReferenceID:
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 6
Microsoft Internet Explorer 7
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target
http://www.wlug.org.nz/WPAD
-----
(BeauButler?: I have registered wpad.co.nz, and do not intend to be 'really
nasty'. I am collecting the 404 logs with the intention to produce some nice
charts, hoever. Also, the wpad organisational-boundaries bug appears to have
resurfaced in Internet Explorer 7!!)
-----
Beau Bulter is the guy who got all the press by talking about this at kiwicon
last week:
https://kiwicon.org/presentations#oddy
Symantec Fax Viewer Control v10 (DCCFAXVW.DLL) remote buffer overflow exploit (IE7)
by Nine:Situations:Group::trotzkista
site: http://retrogod.altervista.org/
tested against: Symantec WinFax Pro 10.03
Internet Explorer 7, XP SP3
some details:
CLSID: {C05A1FBC-1413-11D1-B05F-00805F4945F6}
Progid: Symantec.FaxViewerControl.1
Binary Path: C:\Programmi\WinFax\DCCFAXVW.DLL
site: http://retrogod.altervista.org/
software site: http://pack.google.com/intl/it/pack_installer.html
tested against: Internet Explorer 8, windows xp sp3
Internet Explorer 7, windows xp sp3
Google Chrome 2.0.172.43
vulnerability:
through the vulnerable googleapps.url.mailto:// deprecated uri handler, registered as follows:
Next Page>>
|
