simply wow......

Printable View

March 1st, 2002, 03:20 PM
Fubarian

simply wow......

Requirements -- IE5 or 6

Ok java script people, this ones fer you. And sys admins, yer gonna s%#$. Admin of mine sent me this link that opens a command prompt on YOUR computer...no s@#$, no kidding, it'll outrightly open it on yer computer...which is NOT cool. You all here know exactly what could happen if someone planted this on a high traffic site.

Time to see how good we are.

<a href="http://www.liquidwd.freeserve.co.uk/" target="_blank">http://www.liquidwd.freeserve.co.uk/</a>

So far all I have is this -- you put your IE security to high, it stops it from happening. thats all I know. Please post what you can find.
March 1st, 2002, 03:28 PM
MacGyver

didn't happen on my computer, I'm running IE5.5SP1 on Win95 and it didn't matter if I was using Webwasher or not.
March 1st, 2002, 03:29 PM
ilovetheusers

Don't work on winderz 9.x. I'll let you know when I get home and let my roomie see it.

Gotta love this stuff.
March 1st, 2002, 03:39 PM
Fubarian

if ya read the page its fer 2k/xp -- forgot to add that
March 1st, 2002, 04:57 PM
Gameguru

Spooky....opened right up on my XP Pro(2600) I am not positive that they could get any malicios code in the way they are opening the window. I will say this....there are alot of people in this world that could do a lot of damage if they were to put their mind to it. :eek:
March 1st, 2002, 07:49 PM
Kaelon

deltree c:\windows\*.*
:D :D hehe I wonder if that would be possible off of this little bug?
-Kaelon
March 2nd, 2002, 02:00 AM
Poseidon

Okay, rebooted to Win2K / IE 5.5 environment. Nothing happened

What is this vulnerability, and do I need to change any settings at the office?
<img src="confused.gif" border="0">
March 2nd, 2002, 08:51 AM
Chris_MacMahon

xp pro (2600), all fixes and patches, zonealarm, and norton both failed here....
this will be fun....
March 2nd, 2002, 10:08 AM
vilagefool

I am running XP pro (2600) and it did not work on my machine. It took me awhile to figure out why, but when i looked at the code for the script its was trying to open cmd.exe on my c: drive. I am running XP off of my D: drive (thus why it did not work). But i did download the page and switched the refrence to d:\... and it did work! just thought i would throw my 2 cents worth :D
March 2nd, 2002, 07:29 PM
ilovetheusers

I just spoke to my roomie and aparently there are about 5 other ways to do this and you always have been able to do so. Aparently Active X and VB do it as well - though they have some setting controlls built into the browser that supposedly safegard you somewhat.
March 3rd, 2002, 12:38 PM
Draggar

IE 4.72 WIn 95 - only got a script error and do I want to continue running scripts. I said yes, and nothing happened.

I am behind some sort of firewall, but I do have full internet access...
March 3rd, 2002, 01:15 PM
Ahcoraj

I saw one somewhere that brought up a windows explorer that allowed you to browse your own hard drive. Scary......
March 3rd, 2002, 04:09 PM
myramp

my virus scanner (Trend Micro PCcillian 2000)caught it but it still opened the cmd prompt. you could disable this by turning off javascript in IE security.
March 3rd, 2002, 08:41 PM
ilovetheusers

[quote]Originally posted by Ahcoraj:
I saw one somewhere that brought up a windows explorer that allowed you to browse your own hard drive. Scary......<hr></blockquote>

It has always been like this so that you could run a web site from your HDD if need be. Here is the script. It is non harmful.

html
head
/head
body bgcolor="#FFFFFF"
p /p
p iframe src="C:\"width="500" height="450"
br
/iframe /p
/body
/html
March 4th, 2002, 06:24 AM
Russ192

Its nice hey, I would not be concerned! Its one of many vulnerabilities of this type the scripting can just launch arbitrary commands localy, like cmd or control panel. It is just local so unless you do something no harm comes of it. Take a read of <a href="http://jscript.dk/unpatched/" target="_blank">http://jscript.dk/unpatched/</a> for more info

Russ
March 4th, 2002, 08:54 AM
LagMonster

[quote]Originally posted by Kaelon:
deltree c:\windows\*.*
:D :D hehe I wonder if that would be possible off of this little bug?
-Kaelon<hr></blockquote>

I am sure you can add command line parameters to this making it a security hazard. This is something to watch out for if your clients or coworkers are surfing on sites that you don't know of.
March 4th, 2002, 06:35 PM
Fubarian

I got a follow up email on the issue and they said "over 25,000 of you clicked the link" ...hehe, wonder how many of those were us? :D
March 5th, 2002, 01:42 PM
Russ192

[quote]Originally posted by LagMonster:


I am sure you can add command line parameters to this making it a security hazard. This is something to watch out for if your clients or coworkers are surfing on sites that you don't know of.<hr></blockquote>

You can not pass parameters. So no deltree is not possible.
All this bug has the ability to do is run a .exe on the client system, that exe file must be present locally. Its not as huge as this post has been making out. Disable scripting to protect against it for now.

<a href="http://www.securityfocus.com" target="_blank">www.securityfocus.com</a>
<a href="http://jscript.dk/unpatched/" target="_blank">http://jscript.dk/unpatched/</a>

Russ
March 5th, 2002, 09:48 PM
AKautz

Thanks to ActiveWin ( <a href="http://www.activewin.com" target="_blank">www.activewin.com</a> ), I found out about an article at The Register which says the Internet Explorer (IE) "bug" is an old "data binding" feature which had its origin with IE 4 and has been continued in all subsequent versions of IE. Also, disabling active scripting and/or Active X will not prevent the problem, although there is a registry mod that can prevent it. The URL for the article is:
<a href="http://www.theregister.co.uk/content/4/24274.html" target="_blank">http://www.theregister.co.uk/content/4/24274.html</a>

A bit of HTML code that is posted in The Register article mentioned above, will cause IE to run the Windows Calculator app.

For "newbies," simply copy and paste the code into Windows Notepad (for some versions of Windows, remove the "system32" folder from the pathname in the code), save it to your Windows Desktop with an "html" extension instead of a "txt" extension, and then either double click on the newly saved file on the Desktop (if IE is your default browser) or open the file manually from within IE (File > Open...) to execute it. It appears that one can run any app (such as a DOS window) on their PC simply by specifying (and saving) the correct path in the code above and opening the file in IE.

So since the HTML code is able to execute a program, isn't there a way that it could be modified to execute a command from the command prompt?

Inquiringly,
Adam Kautz
March 7th, 2002, 05:28 PM
Antimatter

This page can not be displayed.
Win2k SP2, IE 5.01 SP2. Java set to high safety. ActiveX and scripting all set to prompt before running.
March 8th, 2002, 05:02 AM
EvilCabbage

Another day, another Active X / MS / Java exploit.

*sigh* ..
March 8th, 2002, 05:48 AM
Alwayslearining

well this link actually logs you off

<a href="http://www.krypton3d.com/xp" target="_blank">www.krypton3d.com/xp</a>
March 8th, 2002, 01:40 PM
Poseidon

[quote]Originally posted by Alwayslearining:
well this link actually logs you off

<a href="http://www.krypton3d.com/xp" target="_blank">www.krypton3d.com/xp</a><hr></blockquote>

The above is caught by most Antivirus platforms:

<a href="http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_CIDEXPLOIT.B&VSect=T" target="_blank">JS_CIDEXPLOIT.B</a>
March 9th, 2002, 05:03 AM
Russ192

[quote]Originally posted by Alwayslearining:
well this link actually logs you off

<a href="http://www.krypton3d.com/xp" target="_blank">www.krypton3d.com/xp</a><hr></blockquote>

Now that is celver. Same exploit just executing a differant application to log you off. Only works if you installed windows to the default directory mind.

I understand that such commands can now be exectuted without scripting or ActiveX enabled. Im looking for a example exploit. The Anti-Virus companies are moving in to save the day but i think its time to patch this one microsoft!
March 13th, 2002, 12:31 PM
Quiet Thunder

Already patched. <a href="http://www.download.windowsupdate.com/msdownload/update/v3/static/RTF/en/5226.htm" target="_blank">Check here to read more</a>
March 13th, 2002, 01:32 PM
AKautz

Thanks for keeping us updated QT, but upon reading more info ("Technical Details") about the patch at:

<a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-009.asp" target="_blank">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/b ulletin/MS02-009.asp</a>

I found out that the patch fixes a flaw that did not involve the ability to execute files, so it does not appear to be a solution to the problem being discussed.

Adam
March 13th, 2002, 08:23 PM
TrackMan

The page wouldn't even load. Oh well, sounds pretty neat-o. :p

Damn microsoft and their crappy software :mad:
March 13th, 2002, 08:26 PM
Ahcoraj

Funny, my Pc-cillin at one office catches it, but the Norton Corporate at the other office doesn't
March 14th, 2002, 10:19 PM
vilagefool

this may be a little late but, here is a link i got from PC-cillin, the online virus scan: <a href="http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_CIDEXPLOIT.B" target="_blank">http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_CIDEXPLOIT.B</a>