Just arbitrary coolness regarding Microsoft's Threat Modeller. It's XSS-ible...
Since this all works in file:///, not overly sure what the benefits of these things will be, but I suppose since different folks may have different privilege levels for different protocol handlers (ie: file:// http:// etc), one might be able to instantiate previously unusable OCX'es, or even redirect to site for exploiting browser vulnerabilities.
Never happened unless there are pictures, so refer below...
A little further playing, along with some vulnerable ActiveX controls, and we find ourselves with a nice mechanism for getting remote code execution... :)
Finally, a little update. After reporting the issue to email@example.com, we get a response from Nate mentioning the following:
"Thank you again for bringing this to our attention. Given that this product has been deprecated, the MSRC won't open a case to investigate the issue. I am however going to contact the Download Center and see if we can get the download removed since new tools/versions are available. If you find the same or other issues in the current version/tool please let us know. If you have any questions or concerns please let me know."
A subsequent Google for the Microsoft Threat Modeling (sic) Tool this morning, provides the following...
The first link is the package we're looking for. Clicking on the Cached page, we get:
Clicking on the "really-real" link, we get the following...
a) was the politely dropped kaminsky firefox bug [http://lists.grok.org.uk/pipermail/full-disclosure/2009-September/070620.html]
It still requires a click for command execution, but considering its multi platform firefox ownage sans shellcode, i think its cool.. i think its even cooler that dan dropped it sans any fanfare..
From the post:
"we get lucky here as well in that there is a pointer srv!pSrvStatistics which also points to srvnet!SrvNetStatistics, and counts the number of requests that have been made to a specific call (as well as other things).
So the technique here is to firstly increment srvnet!SrvNetStatistics to be ffe6, ffd6, or 56c3 (jmp esi, call esi, push esi -> ret). Then we set ProcessHighID to a value that when multiplied by four and added to the base address of ValidateRoutines pushes us outside of srv2.sys and into srvnet.sys where we then end up dereferencing the pointer to srvnet!SrvNetStatistics. This now transfers control to the data in our packet which we can massage to gain execution.
Sure it only cost $29, but when you consider the number of people bowing down and thanking our Cupertino overlords you have to consider the following:
If the Emperor was given his new clothes today, #emperors_clothes would be trending on twitter (with ppl thanking the tailors for reduced closet space requirements)