[Full-Disclosure] RE: How to Break Windows XP SP2 + Internet Explorer 6 SP2

From: Thor Larholm (thor_at_pivx.com)
Date: 10/20/04

  • Next message: Luigi Auriemma: "Buffer-overflow in Age of Sail II 1.04.151"
    To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, <bugtraq@securityfocus.com>
    Date: Wed, 20 Oct 2004 08:07:10 -0700
    
    

    I successfully reproduced this exploit on a fully patched XPSP2
    installation and can verify that malware.htm is planted locally after
    which HTML Help is used to launch it and circumvent the XPSP2 browser
    security improvements, compromising the system.

    However, this exploit did not work on any systems with Qwik-Fix Pro
    installed, from Windows 95 to Windows XP Service Pack 2. A free Home
    edition and a trial Corporate edition is available for download at

    http://www.pivx.com/qwikfixDownload.asp

    Before you can successfully use any Drag'n'Drop technique or script
    shortcuts to plant a file on the local system you first need to be able
    to reference local content. If you cannot reference local contents or
    directories from the Internet zone then you cannot retrieve the window
    handle that is necessary for any Drag'n'Drop exploits or any
    cross-domain scripting exploits.

    IE6SP1 initially blocked all direct references to the file:// and RES://
    protocols which I demonstrated how to circumvent through the OBJECT
    element. This was quickly patched in the next cumulative security update
    and thereby blocked the traditional cross-domain scripting exploits.
    XPSP2 went further and tightened down the Local Machine Zone with the
    recommendations PivX Labs made public in late 2003 so that even if you
    could find a way to reference local content and subsequently inject
    scripting through a cross-domain vulnerability you would not be able to
    accomplish anything. This LMZ lockdown has a per-process exception list
    in which HTML Help is included.

    When the LMZ is locked down attackers have to find alternative attack
    vectors, of which the Drag'n'Drop vulnerability is a prime example. When
    IE renders an IMG element it gives priority to the SRC attribute but
    when IE drops an IMG element on an arbitrary window it gives priority to
    the DYNSRC attribute. If you are able to reference any local content you
    can therefore drop the DYNSRC attribute of the IMG element on the window
    with local content and thereby plant a file on the file system in a
    known location.

    The browser security improvements in XPSP2 does not include further
    restrictions on referencing local content which is why the Drag'n'Drop
    exploits to this date affect fully patched XPSP2 systems. Qwik-Fix Pro
    restricts local content referencing through a number of means of which
    one is responsible for protecting against this exploit:

    In order for http-equiv's exploit to work the "ceegar.html" file uses
    the AnchorClick behavior to open "C:\WINDOWS\PCHealth\" in a named
    window which is then used as a drop target for the DYNSRC pointing to
    the "malwarez" file. When any behavior in IE tries to list a local
    directory it uses the Shell.Explorer ActiveX object, an object which has
    no justification of use inside the browser but which is heavily used by
    Windows Explorer itself.

    Setting the Kill Bit on the Shell.Explorer ActiveX object prevents IE
    from referencing local directories in a window object, whether it's
    through AnchorClick behavior or some other approach that we discover
    tomorrow. The GUID for Shell.Explorer is
    {8856F961-340A-11D0-A96B-00C04FD705A2} and Knowledge Base article 240797
    (http://support.microsoft.com/?kbid=240797 ) explains how the process
    works.

    PivX Labs released a freely available registry fix that sets the Kill
    Bit on Shell.Explorer almost 2 months ago which can be downloaded from

    http://www.pivx.com/research/freefixes/neutershellexplorer.reg

    For clarity, here are the file contents:

    === neutershellexplorer.reg ===
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
    Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}]
    "Compatibility Flags"=dword:00000400
    === neutershellexplorer.reg ===

    PivX Labs has covered this topic several times before on the Unpatched
    mailing list which receives advance notification of our security
    research, including several Win95-XPSP2 vulnerabilities that will be
    released in the interim future. For more information or to subscribe you
    can visit

    http://unpatched.pivxlabs.com

    Regards

    Thor Larholm
    Senior Security Researcher
    PivX Solutions
    23 Corporate Plaza #280
    Newport Beach, CA 92660
    http://www.pivx.com
    thor@pivx.com
    Stock symbol: (PIVX.OB)
    Phone: +1 (949) 231-8496
    PGP: 0x4207AEE9
    B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9

    PivX defines a new genre in Desktop Security: Proactive Threat
    Mitigation.
    <http://www.pivx.com/qwikfix>

    -----Original Message-----
    From: Windows NTBugtraq Mailing List
    [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of
    http-equiv@excite.com
    Sent: Wednesday, October 20, 2004 5:36 AM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: How to Break Windows XP SP2 + Internet Explorer 6 SP2

    Snip
    http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0410&L=ntbugtraq
    &F=P&S=&P=10781

    Snip http://tinyurl.com/4xeww

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Luigi Auriemma: "Buffer-overflow in Age of Sail II 1.04.151"

    Relevant Pages

    • RE: How to Break Windows XP SP2 + Internet Explorer 6 SP2
      ... I successfully reproduced this exploit on a fully patched XPSP2 ... from Windows 95 to Windows XP Service Pack 2. ... This was quickly patched in the next cumulative security update ... PivX Labs released a freely available registry fix that sets the Kill ...
      (Bugtraq)
    • RE: How to Break Windows XP SP2 + Internet Explorer 6 SP2
      ... I successfully reproduced this exploit on a fully patched XPSP2 ... from Windows 95 to Windows XP Service Pack 2. ... This was quickly patched in the next cumulative security update ... PivX Labs released a freely available registry fix that sets the Kill ...
      (Full-Disclosure)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
      (Securiteam)
    • Re: The Myth of the secure Mac
      ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
      (comp.sys.mac.advocacy)