Hosting Provided By

Internet Explorer 0day exploit

From: Thor Larholm <seclists(at)larholm.com>
Date: Tue Jul 10 2007 - 01:09:23 EDT

There is a URL protocol handler command injection vulnerability in Internet Explorer for Windows that allows you to execute shell commands with arbitrary arguments. This vulnerability can be triggered without user interaction simply by visiting a webpage.

When Internet Explorer encounters a reference to content inside a registered URL protocol handler scheme it calls ShellExecute with the EXE image path and passes the entire request URI without any input validation. For the sake of demonstration I have constructed an exploit that bounces through Firefox via the FirefoxURL protocol handler. The full advisory and a working Proof of Concept exploit can be found at

http://larholm.com/2007/07/10/internet-explorer-0day-exploit/

Cheers
Thor Larholm Received on Tue Jul 10 11:47:59 2007

This message: [ Message body ]
Next message: security(at)mandriva.com: "[ MDKSA-2007:143 ] - Updated mplayer packages fix buffer overflow remote vulnerabilities"
Previous message: mballano(at)gmail.com: "WinPcap NPF.SYS Privilege Elevation Vulnerability"
Next in thread: Gadi Evron: "Re: Internet Explorer 0day exploit"
Reply: Gadi Evron: "Re: Internet Explorer 0day exploit"
Maybe reply: Zow: "Re: Internet Explorer 0day exploit"
Maybe reply: Aaron Katz: "Re: Internet Explorer 0day exploit"
Maybe reply: Aaron Katz: "Re: Internet Explorer 0day exploit"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Mon Jul 16 2007 - 05:18:40 EDT