OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IE 5 and Access 2000 vulnerability - executing programs
From: Jesper M. Johansson (jjohanssBU.EDU)
Date: Wed Jun 28 2000 - 07:00:05 CDT

>Sorry Georgi, but I get warnings and errors from your example. The first of
>which is: "You don't have a source code control program (such as Microsoft
>Visual SourceSafe) installed on your machine.
I can't replicate that. I recoded the exploit for WinNT and to take out the
warning. I tried it both on a system that has VSS and one that doesn't (but
only with my recoded exploit) and it works fine.
>Access is trying to start wordpad.exe
This is hard-coded into the exploit. I just recoded it and took that out.
Works like a charm!
>which (when I click ok) returns an
>error : "Invalid procedure call or argument".

It should say "file not found." Again, yes, the sample is specifically
designed for Win98. Wordpad does not exist in that location on NT 4 or 5.
However, after I recoded the exploit to work on Winnt, it works silently,
and without needing VSS installed. This is REALLY dangerous.
I also discovered a SERIOUS problem here. I have IE set to prompt on running
ActiveX controls. It does prompt me; but not until AFTER it already
downloaded and opened the Access database. Even disabling ActiveX controls
altogether does not solve this! Disabling Active Scripting does not help.
Let me put this another way: there appears to be no way to use the security
settings in IE to guard against this problem!

Jesper M. Johansson

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net