Pretty interesting and imaginative way to exploit the flaw in IE…yeah I know linked to ActiveX again, all the more reason to use Firefox right?
It just shows that the browser really is a point of entry, this could be useful for a penetration test, another way to show how easy it is to get in via internet explorer, the frequency with which IE exploits have been coming out recently is scarier than normal.
A particular scenario was identified that involved the exploitation of the modal ActiveX prompt delivered by some systems. The user is asked to type a certain string of characters (ala captcha). A prompt will be displayed (hopefully during the time the user is typing the string) to install the Microsoft Surround Video Control.
If you’re still typing the “captcha” when the prompt appears, you’ll install the control. This works as advertised against all systems EXCEPT Windows XP SP2 and Windows Server 2003 SP1. If the software you install hoses your box, just remember that it’s signed by Microsoft. In
other words… don’t look at me.
You can check the PoC here:
It just crashes IE for me, I’m not sure if it’s a null pointer or what, but I’m sure there’s some way to exploit it to take over the machine, it’s a another vulnerability, which usually can be mashed together with a couple of others to get complete control.
By Matthew Murphy spotted on Vulnwatch
Recent in Exploits/Vulnerabilities:
- Evernote Hacked – ALL Users Required To Reset Passwords
- Apple, Facebook & Hundreds More Hacked By 0-Day Java Exploit
- Weevely – PHP Stealth Tiny Web Shell
- Chrome and Firefox Face Clickjacking Exploit
- MS12-020 RDP Exploit Code In The Wild
- US Investigators Pinpoint Author Of Google Attack Code
Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 218,448 views
- AJAX: Is your application secure enough? - 117,833 views
- eEye Launches 0-Day Exploit Tracker - 84,866 views