Patched IE still executes code with ADODB patch

From: David Nowak (dnowak_at_UDEL.EDU)
Date: 07/07/04

  • Next message: Jelmer: "Re: Registry Fix For Variant of Scob" 
    Date:         Tue, 6 Jul 2004 18:35:47 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Check out this German site that shows and example of IE Loading a command prompt doing a dir/p
    seemingly if IE Internet zone is set to almost anything less that HIGH.

    (I was shown this by a German person and display the site using Google's translator)

    This demo starts cmd.exe with the command "dir /p". Just as well it could delete however files. The
    demo is a variation of an earlier , uses however Shell.Application instead of ADODB.Stream.

    http://translate.google.com/translate?u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2Fdienste%2Fbrowserchec
    k%2Fdemos%2Fie%2Fe5_22.shtml&langpair=de%7Cen&hl=en&ie=UTF-8&safe=off&ie=UTF-8&oe=UTF-8&prev=%2Flang
    uage_tools

    click on Demo implement

    It appears to still be a major security hole!
    ==============================================

    FROM WEBPAGE:
    ==============

    Demo: Start from programs via Shell.Application

    The InterNet Explorer works with a zone model. Depending upon security zone Skripte have different
    rights. Due to errors in the IE however Skripte can obtain by devious means themselves the rights of
    higher zones again and again. The last Exploits used then mostly ADODB.Stream, in order to install
    files from the net. This prevented Microsoft by a change of configuration ( update). However safety
    gaps remain open, over which web pages can attain the rights of the zone "local computer". In this
    zone Skripte have access to the ActiveX object Shell and/or Shell.Application .

    So far not clearly, whether it is possible thereby without interaction with the user is programs to
    install -- to arrange Cracker know damage however always. Thus it permits the method to ShellExecute
    , arbitrary, to start programs already installed. Over the command line interpreter cmd.exe could
    delete an aggressor for example all files.

    Demo
    This demo starts cmd.exe with the command "you/p". Just as well it could delete however files. The
    demo is a variation of an earlier , uses however Shell.Application instead of ADODB.Stream.

    The demo functioned at present under Windows XP, for Windows 2000 would have to be adapted a path.
    If the demo functions, a window with one appears command lineprompt ("DOS box"). If this window does
    not appear, the demo did not function.

    Demo implement

    Remedy:
    So far us no Patch of Microsoft is well-known. In addition, switching off Active Scripting prevents
    the execution of the Exploits, ensures but that many web pages do not function any longer.

    It can be that your anti-virus program discovers and to you offers, in the demo a virus, to prevent
    whose execution. This kind of protection does not function however reliably. Malicious sides work
    with coded Javascript. So many AV programs cannot discover suspicious operations any longer.

    =======================================
    David Nowak
    CITA III Physics & Astronomy
    222 Sharp Lab
    Newark, DE 19716

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----

  • Next message: Jelmer: "Re: Registry Fix For Variant of Scob"