Re: Re: RE: playing for fun with <=IE7

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: RE: playing for fun with <=IE7
From: laurent.gaffie@xxxxxxxxx
Date: 25 Oct 2007 15:58:16 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi there
Nop it wont work.
http://dams083.free.fr/tmp/putty.exe?explorer.exe
the first .exe extension will be overwriten by
the second one . then it will be putty.exe anyways.

"avivra" did mention that he was able to use this bypass to automate the PDF 
attack vector
found by GNUCitizen's pdp
http://aviv.raffon.net/2007/10/15/BackFromTheDead.aspx

he also did mention that cyber_flash found the same kind of vuln on IE6 sp2 3 
years ago.

thanks to him for theses precisions.

i was also able to reproduce the pdp(gnucitizen) pdf 0days remotly without any 
promt with IE7
using the avivra idea/exemple showed on his video
here's a live exemple:
http://dams083.free.fr/pdf_poc.exe?1.pdf
pdf is open , calc.exe is launched no promt .

we can imagine the impact with a:
-permanent Xss
-malicious webpage
-worm
-etc 

regards laurent gaffié

//sorry for the delay.

Prev by Date: First ever ModSecurity public training at OWASP/WASC conf in SJ
Next by Date: [PoC] DNS Recursion bandwidth amplification
Previous by thread: Re: RE: playing for fun with <=IE7
Next by thread: [ GLSA 200710-10 ] SKK Tools: Insecure temporary file creation
Index(es):
- Date
- Thread