[Full-disclosure] PoC for Internet Explorer Modal Dialog Issue



-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Dear Lists:

Apparently I wasn't clear enough with this paragraph of my advisory, or
a sizeable portion of the list readership elected to ignore it:

"A malicious user could create content that would request the user to
click an object or press a sequence of keys. By delivering a security
prompt during this process, the site could subvert the prompting and
obtain permission for actions that were not necessarily authorized."

It seemed fairly clear to me, but apparently it sounded better to me
than it did to some readers. :-(

Basically, the scenario for the vulnerability is as follows:

* Ask for user input that is predictable (mouse clicks, text string with
the letter 'y', etc.)

* Display a modal security prompt that will "eat" that input and treat
it as a "Permit" answer to the security prompt.

The result: compromise of security, potentially including arbitrary code
execution.

A particular scenario was identified that involved the exploitation of
the modal ActiveX prompt delivered by some systems. The user is asked
to type a certain string of characters (ala captcha). A prompt will be
displayed (hopefully during the time the user is typing the string) to
install the Microsoft Surround Video Control.

If you're still typing the "captcha" when the prompt appears, you'll
install the control. This works as advertised against all systems
EXCEPT Windows XP SP2 and Windows Server 2003 SP1. If the software you
install hoses your box, just remember that it's signed by Microsoft. In
other words... don't look at me.

Other prompts on XP SP2 and 2003 SP1 are exploitable for various gains
as well. Virtually any prompt that wasn't commonly displayed on a web
page prior to these updates is still handled via the (risky) modal
dialog model. One example is the "Allow Paste Operations via Script"
prompt that is displayed when a web page attempts to access the
clipboard. Another example is "Initialize and Script ActiveX controls
not marked as safe" prompt, which is somewhat mitigated by LMZ lockdown.

All of those cases are exploitable in the same way as this one -- you
simply have to change the "unsafe" action. Rather than having a page
generate an ActiveX install, for instance, you could have it try to
sniff the clipboard, initiate install-on-demand, or some other suspect
action. The ability to cause the action to be approved silently is
achieved the same way -- having a user unwittingly enter a 'Y' to the
prompt.

As you might notice, the exploit vector is virtually identical to that
of MS05-054. I'm beginning to wonder if maybe it isn't the triviality
of the remaining issues making them hard for people to envision. After
all, Jesse Ruderman provides all of the theory and Secunia even
demonstrates it for us with the file download dialog exploit code. The
follow-up attack to such precise, detailed research is not a terribly
creative one -- it merely involves piecing together what somebody else
missed, ignored or didn't research to its full depth. This is a really
easy class of attack to eliminate completely when compared to other more
insidious attack vectors, and I expect that this process will eventually
happen.

Note that the standard disclaimer (that your use of this is at your own
risk) still applies. Perhaps more so this time, because there's
Microsoft code coming down along with the exploit. Not to say that my
code is less buggy than Microsoft's (at least, not if I wrote a few
billion lines of it) rather that it's third-party software and may be
subject to unforeseen security risks, incompatibilities or other
maladies (ala COM Object Instantiation or MS06-015).

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

-- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEULsifp4vUrVETTgRA+22AKCl1mkmE5EVB2R+Nv+H64VynQccmQCcCPMx
oGy6Mz4Lcoj7ZyPhQ+LEB2I=
=+LbS
-----END PGP SIGNATURE-----
Title: Internet Explorer ActiveX Installation Vulnerability
Please enter the text you see on the left:

on3l1y6y8y5y
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQBEULCofp4vUrVETTgRAi/SAKCibfzUdRZIbzAx+S9MSPTmgXmy6ACeNSSv
Q50c55TJeNXVrNgRXKhvv7c=
=eJ30
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Anybody know how to nuke Adobe?
    ... Adobe Reader BTW, but for Flash Player. ... some programs won't install correctly in the normal ... The installer can prompt the ... Redirecting the user to a web site to then manually obtain a new ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: No NIC and No X - WTF Does It Take?
    ... boot prompt in order to install Kernel 2.4. ... root (I really do prefer to do that at this ... of the configuration program and taken to the twm ...
    (Debian-User)
  • Re: redirected to connection not secure
    ... prompt, is everything OK anyway? ... If the behavior is being caused by what's described in KB883740, it should have been addressed after you'd installed WinXP SP3 *and then* made sure all post-SP3 security updates were installed. ... Is the computer currently fully-patched at Windows Update? ... (Do NOT install IE8!) ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • RE: Sql Server Access Denied
    ... From your interactive login, you need to run the osql utility. ... If you have MSDE installed, the easiest way is to get a command prompt, ... You then get a '1>' prompt. ... >>interactive login you used to install MSDE, ...
    (microsoft.public.data.oledb)
  • RE: Vista Network Map
    ... I have entered the string as you explained into the Adminisrator Command ... Enter the string into the coomand prompt that is open at an elevated level ... If you install the LLTD before you install SP3, ... In the folder where you extract to you will find a folder SP2QFE. ...
    (microsoft.public.windows.vista.networking_sharing)