send feedback to liudieyuinchina@yahoo.com.cn
My Idea
the latest flaw:
"flood request" issue.
i believe it's rooted in the following proccess:
popup prompt; download if not "cancel"
the problem is:
"popup prompt" will fail if there are too many existing dialogs. thus prompt proccess will return an error code instead of "cancel"(shown in writing secure code ii)
i've verified that ActiveX warning and download prompt apply this proccess, which means they are vulnerible. however, i've not developed a precise method to exploit ActiveX warning for the lack of knowledge.
Experiment Tool
Experiment Record
--------------------------------------------
OS:
Windows XP Professional
MSIE:
6.0.2800.xpclnt_qfe.021108-2107
SP1, latest patch
on 03/05/30(Y/M/D)
--------------------------------------------
[experiment.1]
(1)open PopupKit, choose: DOWNLOAD PROMPTS:200/execute
[*]RESULT:
(183 download prompts are created successfully) AND (17 EXE's are executed)
[experiment.2]
(1)open PopupKit, choose: MODELESSDIALOG:200/execute
[*]RESULT:
200 modelessdialogs are created successfully
(2)DOWNLOAD PROMPT:150/execute
[*]RESULT:
(117 download prompts are created successfully) AND (30 EXE's are executed)
[experiment.3]
(1)open PopupKit, choose: NOTEPAD WINDOWS:200/execute
[*]RESULT:
(180 notepad windows are created) AND (some menus are missing)
(2)MODELESSDIALOG: 200/execute;
[*]RESULT:
only one modelessdialog is created
(no more window will be able to pop up)
[experiment.4]
(0)remove 3721("chinese keyword system" - an ActiveX shipped with
uninstall function)
(0.1)open PopupKit and 94-Install3721
[*]RESULT:
ActiveX warning pops up
(0.2)choose NO
[*]RESULT:
ActiveX 3721 is not installed
(1)NOTEPAD WINDOWS:175/execute
[*]RESULT:
175 notepad windows are created successfully.
(2)MODELESS DIALOG:200/execute
[*]RESULT:
only 4 modelessdialog are created
(3)(refresh 94-Install3721) AND (wait until the page is loaded)
[*]RESULT:
(No ActiveX warning pops up) AND ((start menu has a new item 3721) --> (Active
3721 is installed ))
hint:
in "[experiment.4](1)", "175" is chosn according to the
prior data "180" in "[experiment.3](1)[*]"
--------------------------------------------
OS:
Windows XP Professional
MSIE:
6.0.2800.xpclnt_qfe.021108-2107,SP1, latest patch on 03/05/30(Y/M/D)
(SP1;Q813489;Q330994)
(Both OS and MSIE are CN ver)
all pages are reached at http://umbrella/
(it's intranet domain)
let's do [experiment.4] again:
--------------------------------------------
[experiment.5]
(0)remove 3721("chinese keyword system" - an ActiveX shipped with
uninstall function)
(0.1)open PopupKit and 94-Install3721
[*]RESULT:
ActiveX warning pops up
(0.2)choose NO
[*]RESULT:
ActiveX 3721 is not installed
(1)NOTEPAD WINDOWS:200/execute
[*]RESULT:
171 notepad windows are created successfully.
(2)MODELESS DIALOG:200/execute
[*]RESULT:
only 1 modelessdialog are created
(3)(refresh 94-Install3721) AND (wait until the page is loaded)
[*]RESULT:
(No ActiveX warning pops up) AND ((start menu has a new item 3721) --> (Active
3721 is installed ))
================================
send feedback to
liudieyuinchina@yahoo.com.cn
domex.int.tc
================================