Re: IE ms-its: and mk:@MSITStore: vulnerability
In-Reply-To: <BAY17-F16uCddQiqWcB0001d6bb@xxxxxxxxxxx>
>What, exactly, is new about this?
I did my best to explain this with different pocs and giving a lot of detail
but it seems i failed to address this well.The fact that internet explorer can
access chm files using the two p-handlers when help has been initiated is
new,the fact that some local resources can be used is also new,and execution of
programs on local machine is not done using the old way.
to realize this better try testing the pocs by removing the line that opens
help,what you will find out is that the script won't be able to run correctly
and no programs will be run.
The pocs i have used in combination with mine were selected from those i
thought would be detected by scanners so it won't be possible for people
to simply use them .I have given enough info between the lines for experienced
readers too.
>and the second bit like something Arman Nayyeri posted [2]
if i am not mistaken his poc could only run winamp if it had been installed in
some known location, while the changes i have made to it gives it the ability
to run any program which its' MUICACHE name is known.
>The PoCs in section b) through g) appear to be implementations of the above
>.And the PoC in section h) seems related to Cert Advisory VU#489721 [3]
These were only included for reader's better understanding and to prove the
fact that other programs (ms.products) which use internet explorer for opening
html files can be exploited too (god i am giving you clues )