UGN Security Forums
My ProfileMember DirectoryLogin
Search our ForumsView our FAQView our Site Rules
View our CalendarView our Active TopicsGo to our Main Page

UGN Security Store
 

Network Sites UGN Security, The GoNix Initiative, Elite Web Gamers, Back of the Web, EveryDay Helper, VNC Web Design & Development
November
Su M Tu W Th F Sa
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30
Sponsored Links
Latest Postings
Latest Reviews
Topic Options
Rate This Topic
#15195 - 03/04/02 05:43 PM IE, Outlook and OE vulnerability
Nexus Offline
Junior Member

Registered: 03/04/02
Posts: 16
Loc: UK
Extract from http://www.theregister.co.uk/content/4/24274.html

Quote:
An attacker can run arbitrary commands on Windows machines with a simple bit of HTML, an Israeli security researcher has demonstrated. The exploit will work with IE, Outlook and OutlooK Express even if active scripting and ActiveX are disabled in the browser security settings.


Further details at http://security.greymagic.com/adv/gm001-ie/

Top
Sponsored Links
      
#15196 - 03/05/02 07:36 AM Re: IE, Outlook and OE vulnerability
Kryptic Codez Offline
Junior Member

Registered: 03/03/02
Posts: 5
Actually I tried the code out in the article and it didn't work.

-Kryptic Codez
_________________________
"sheep mesmerized by television...the real American drug addiction..."

Top
#15197 - 03/05/02 06:19 PM Re: IE, Outlook and OE vulnerability
Le4rner Offline
UGN Supporter

Registered: 03/05/02
Posts: 562
Same here. I get a screen with a pic that looks to have not loaded....
_________________________
http://promodtecnologies.com/rrfn

Top
#15198 - 03/05/02 07:58 PM Re: IE, Outlook and OE vulnerability
spectre Offline
Junior Member

Registered: 03/05/02
Posts: 56
Loc: 192.168.128.80
the code worked for me. i had to edit it to fix it so it worked with WINME (CALC was in C:\Windows\, not Windows\System)






]]>




I then tried to create a shortcut to Windows' Command.com, but it didn't work because when u create a shortcut to command.com, it is not considered an actual shortcut, but:

Type of File: Performs text-based (command-line) functions.


I then tried to get the code to pass functions to MS-DOS. unfortunately, for the same reason as above, you CANNOT open command.com because it is the same type of file as above.


Not knowing XML I cannot tell you how to do this, but the only work around I can think of is to know exactly what u are going to do (of course u will) and open Notepad and pass a command.com argument to it, then whatever argument to that, and same the file as perform.bat and save it then run it. all from the same XML file. if anyone knows how to do this, it would be great if I could see the code! thanks!
_________________________
http://www.javaspot.net

Top
#15199 - 03/05/02 08:25 PM Re: IE, Outlook and OE vulnerability
Mornse Offline
Member

Registered: 03/03/02
Posts: 185
Loc: Vancouver
OK, let's say you take that code and use it to open up a command prompt like in the other post. Do you think it would be also possible to send a command along with the opening the command prompt? Because if you could then you could maybe turn on file sharing and things such as that which would make it quite simple to have a backdoor. I've been looking at it, but I don't really know javascript and can't figure out how/if to do it. Anyone?
_________________________
Cha want some w***up?

http://www.dopeskill.com

Top
#15200 - 03/05/02 08:49 PM Re: IE, Outlook and OE vulnerability
Le4rner Offline
UGN Supporter

Registered: 03/05/02
Posts: 562
Well that is XML not Javascript
_________________________
http://promodtecnologies.com/rrfn

Top
#15201 - 03/06/02 08:17 PM Re: IE, Outlook and OE vulnerability
Mornse Offline
Member

Registered: 03/03/02
Posts: 185
Loc: Vancouver
Yeah, i know that's XML, but in the example in the other post they used javascript to do the same thing.
_________________________
Cha want some w***up?

http://www.dopeskill.com

Top
#15202 - 03/06/02 08:49 PM Re: IE, Outlook and OE vulnerability
spectre Offline
Junior Member

Registered: 03/05/02
Posts: 56
Loc: 192.168.128.80
the fact of the matter is, it will not allow you to open a command prompt. the only way you could open a command prompt with this XML is to create a program that opens a command prompt, compile it, and have this link to the .EXE. of course, the person u use this on will not have that EXE on there computer, so it doesn't matter anyway. as i said above, you cannot open command.com, command.exe, ms-dos, etc.
_________________________
http://www.javaspot.net

Top

Featured Member
Registered: 10/28/14
Posts: 1
Forum Stats
2150 Members
46 Forums
35738 Topics
70908 Posts

Max Online: 1567 @ 04/25/10 05:20 AM
Top Posters
UGN Security 28899
Gremelin 7193
§intå× 3255
SilentRage 1273
Ice 1146
pergesu 1136
Infinite 1041
jonconley 955
Girlie 908
unreal 860
Newest Members
HushHush, golqm, Tim050, Gecko666, defghi795767
2150 Registered Users
Who's Online
0 registered (), 477 Guests and 284 Spiders online.
Key: Admin, Global Mod, Mod
Latest News
luxury goods sales at $405B by 2019
by golqm
10/28/14 05:19 AM


Donate
  Get Firefox!
Get FireFox!