[Dshield] FW: Osama Bin Laden Captured

Laura Vance vancel at winfreeacademy.com
Mon Apr 26 14:52:08 GMT 2004


I believe that what happens here is that IE first tries to load the help 
file "C:\foo.mht" and the '!' is used as a delimiter. Once it cannot 
find the help file of "foo.htm" the second file is loaded as a failover 
with the same permissions as the zone of the first option which is local 
machine. If I read the documents correctly, it doesn't actually have to 
download the chm file, unless IE has to download something like that 
before it can execute it.

I don't see why you couldn't use a browser redirect to get to the 
browser to automatically visit the URL with the hostile code.

I don't know the answers to your other two questions.

Pete Cap wrote:

>Greetings, List:
>... object data=”ms-its:mhtml:file://c:\foo.mht!” type=”text/x-scriptlet”
>As far as the exploit goes, essentially what's happening is the browser is extracting foo.mht from pics.chm and executing it as C:\pics.htm, correct?  And this can be any kind of executable content?  Have I got this right?
>Couple of questions:
>1. Could you just use a browser redirect to start this process or is it essential that the user click on the link?
>2. Does the process by which the hostile content is retrieved need to be in an OBJECT tag or can it be in any data request (e.g. an IMG tag)?
>3. Why does one attempt in this example occur in a textarea?
>Hope someone can help.
Laura Vance
Systems Engineer
Winfree Academy Charter Schools, Data-Business Office
1711 W. Irving Blvd. Ste 310
Irving, Tx  75061
Mobile: 469-855-5801
Fax: 972-251-2525
Web: www.winfreeacademy.com

More information about the list mailing list