Proof of Concept for Internet Explorer Modal Dialog Exploit

Use Netsparker


Pretty interesting and imaginative way to exploit the flaw in IE…yeah I know linked to ActiveX again, all the more reason to use Firefox right?

It just shows that the browser really is a point of entry, this could be useful for a penetration test, another way to show how easy it is to get in via internet explorer, the frequency with which IE exploits have been coming out recently is scarier than normal.

A particular scenario was identified that involved the exploitation of the modal ActiveX prompt delivered by some systems. The user is asked to type a certain string of characters (ala captcha). A prompt will be displayed (hopefully during the time the user is typing the string) to install the Microsoft Surround Video Control.

If you’re still typing the “captcha” when the prompt appears, you’ll install the control. This works as advertised against all systems EXCEPT Windows XP SP2 and Windows Server 2003 SP1. If the software you install hoses your box, just remember that it’s signed by Microsoft. In
other words… don’t look at me.

You can check the PoC here:

Proof of Concept for IE Modal Dialog Issue

It just crashes IE for me, I’m not sure if it’s a null pointer or what, but I’m sure there’s some way to exploit it to take over the machine, it’s a another vulnerability, which usually can be mashed together with a couple of others to get complete control.

By Matthew Murphy spotted on Vulnwatch

Posted in: Exploits/Vulnerabilities, Windows Hacking

, , , ,


Latest Posts:


Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.


5 Responses to Proof of Concept for Internet Explorer Modal Dialog Exploit

  1. mozzy May 2, 2006 at 12:20 pm #

    Hey there,
    Well I am not a fan of IE either but dude….c’mon “This works as advertised against all systems EXCEPT Windows XP SP2 and Windows Server 2003 SP1.”

    Don’t you think that all earlier versions of browsers (systems) have flaws that you could test around with if not the needed updates are installed? Which user in the right mind does not have XP SP2 on the machine (if he installed windows at all).

    However, I enjoy reading your blog…lots of interesting and funny stuff here. This was the only post that kept me thinking that it is kinda wrong ;)

    It is like stabbing in open wounds xD

  2. Darknet May 2, 2006 at 5:05 pm #

    mozzy: Well I’m still still using Windows 2000 as are a lot of people I know as we MUCH prefer it to Windows XP (raw sockets pls?)

    And I know quite a lot of people with older computers running Windows98, not everyone can afford the latest hardware.

    So I’m pretty sure it still effects a significantly large demographic, and it crashed my IE on XP SP2 anyway..

    Sorry to be outdated ;)

  3. mozzy May 3, 2006 at 6:03 am #

    he he
    well… don’t know what to say…
    would you run a red hat version without neccessary security updates?

    i wouldn’t thought so…

    but you’re right. It bothers me too that XP requires quiet some hardware (though i was running XP SP 2 on a Celeron 2.4 with 128 RAM without severe problem thanks to the ability to disable all styles and animations)

    but what is really interesting is that it crashed IE with you on XP SP2 though the article says that it is not affected…are you maybe missing updates?

    anyway…
    I am going to make my own system…with black jack and hookers :P

    however about the Raw sockets issue i found you two very interesting articles :)

    http://grcsucks.com/mirror/SocketToMe.htm
    Talks about how to fix this issue in XP AND 200 ;)

    http://grc.com/dos/xpconference.htm
    Talks about how microsoft does not really care about these issues xD

    The later article is interesting butnot really useful whereas the first one helps you to secure your system (if don’t know already ;) )

    sorry for double posting…
    but i just found this one regarding raw sockets

    http://grc.com/dos/
    The article wit the title “Microsoft Removes Raw Sockets from XP”

    Updates, updates, updates…

    ;)

  4. Darknet May 3, 2006 at 6:24 am #

    Well my Win2k is fully up to date..as up to date as it can be anyway.

    A Celeron 2.4 is a very powerful machine relatively…I’m talking about those computers like Pentium II 333mhz. How can those run Windows XP?

    And yes people are still using such machines.

    Yah I’m pretty sure the XP SP2 has all updates, as it even has the stupid Genuine Advantage thing installed, which was only last week.

    Try not to quote GRC.com if you can, most people in the security industry think Steve Gibson is a raving lunatic ;)

    He does have some good coverage on the raw sockets issue though. But why hack the OS to give back some functionality you shouldn’t have lost in the first place?

    Luckily the new nmap compensates the problem with the ability to send Ethernet frames.

  5. mozzy May 3, 2006 at 6:33 am #

    Maybe this one helps for those who would like to run XP on a “weak” machine :)

    http://www.winhistory.de/more/386/xpmini_eng.htm