------=_NextPart_000_00D4_01C3157B.AADC4970
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Systems Affected : Internet Explorer 6.0.2800 (6.x?)
Remotely exploitable: Yes
Author: Marek Bialoglowy (System Integra - mb@systemintegra.com)
Attached files: dmz2.rar (archive password:zones)

Note: This is part of my research and the purpose of this post is to consult
results and potential vulnerability with the wider group of security
experts.

--------

# Introduction

I've found some sample VB script created by person using nickname 'netric'
and creating large number of FRAMES in Internet Explorer and mass executing
'telnet://www.microsoft.com:80' requests. I believe this dangerous VBS
scripts is known to everyone already (AVP recognizes it as
Trojan.VBS.IFram). Well, I believe it is right moment to inform Bugtraq
about some potential critical vulnerability in Internet Explorer version 6
(maybe 5.5 also ?), which used together with this script (version modified
by me: dmz2.html file) could provide easy way to intrude large number of
workstations on LAN. I've found this security problem while doing research
on techniques of delivering passive Trojans executables trough Outlook
Express and Internet Explorer - anyways very advanced Trojans (project "UTP"
for people familiar with this name).

# Vulnerability

I've noticed that on my test environment it is possible to bypass Internet
Explorer Zones protection by flooding it with large number of file://
requests in example to infected fileserver. The result of this bypass is
EXECUTION OF ANY REQUESTED FILE. My requested file was 'trojan.exe' placed
on neighbour WIN2K Professional workstation. To see code used during the
test check files in attached archive.

On IE 6.0 the result was always the same, after more than 200 dialog boxes
with 'trojan.exe' request, suddenly requested file got executed. For the
purpose of this test I've used two Win2K and WinXP workstations with
Internet Explorer 6.0.2800.1106 (I believe that's most recent version of IE)
and on both workstations opening the 'dmz1.html' file trough LAN share
resulted in executing 'trojan.exe' application. My Internet Security Zone
was set to "MEDIUM".

Internet Explorer 5.x doesn't seam to be vulnerable. I didn't have a chance
to test it on other version of IE 6.x different than 6.0.2800. One person
reported to me that this bug has not affected IE 6.0.2600.

# Exploitation

Well, to make it short: possibility of giving our evil HTML file .jpg
extension, so our "dmz2.html" becomes "photo1.jpg", dramatically increase
scale of the vulnerability. I don't think any Internet Explorer user is
suspecting threat from simple .jpg file ?!? It is also quite hard to stop
all these windows suddenly popping up due to executed VBscript. I believe
people are actually expecting quite high threat from browsing websites (in
this case we can use dmz1.html exploit) using IE and rather don't expect
anything harmful from connecting to http://somewhere.com/pics/photo1.jpg URL
(right?). I will also mention that it requires at least 200 request windows
to pop-up, so if user will kill the iexplorer.exe process before 200
requests will pop-up then attack won't be successful. I think best method of
exploitation is to use VBscript openning the file requests rather than a
single file with requests as SRC of FRAMEs. Presented methods are just few
of many other techniques which which could be used to exploit this
vulnerability.

I don't see potential threat coming from Internet, because this little thing
requires executing > 200 windows which will be quite hard on standard
Internet connection. I believe this vulnerability is dangerous mostly on
LAN, oh and certainly it can allow executing any local file from Internet (I
was not able to execute local file on WinXP).

# Solution

Well, wait for patches ? Other browsers are probably not vulnerable (checked
on Opera). You can also set the Security Zone to HIGH.

Oh and the dangerous VBS script is recognized by AVP and some other
antivirus software, so this is already part of the solution.

--------

Anyways, I am waiting for feedback to confirm my results. Thank you.

PS: Regards to segfault.net and "Lam3rz" group for interesting knowledge
exchange.

Best Regards,

 Marek Bialoglowy (mb@systemintegra.com) Information Security Expert
 PGPkey: http://www.systemintegra.com/pgp/ultor.asc | ID: 0x4B36656E
 JOB: (CTO) System Integra | JKT, Indonesia | Timezone: JAVT, GMT +7

------=_NextPart_000_00D4_01C3157B.AADC4970
Content-Type: application/octet-stream;
	name="dmz.rar"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="dmz.rar"

UmFyIRoHAM+QcwAADQAAAAAAAAACQnTggCMAAAAAAAAAAAACAAAAAJCAqC4dMAMAEAAAAGRteg18
dCSENQCwAAAApTwAAAJ2g/75ywWnLh0zDQAgAAAAZG16XGRtejEuaHRtbONiXrYJnsKQj3SPKR6d
tls357YhyqMxjxJOCdLuUzze4hrSkFyddMTt+9Nr1Vo4eXb9E8BBPHsP8ub6mp2xfyWvFh9A/Wfs
n80+a2yn45SZKTzvZ8nMUNo2mLSPtRovFJU/2O/qgb/3EE484RvI9sc2Wl7d+FRXl4kHngZYVxYJ
COpnuCAdnIUxOrMi9hDGt7HxTTT7oFLw18k2OpRr0TGYSy1hrDluqFLntHk15/uCjzWEnizUnrlQ
k3QkhDUAoAAAALMAAAACPzbDwWAEqC4dMw0AIAAAAGRtelxkbXoyLmh0bWzjYl62CZ7CkHMSQm23
PeRiZw6HolHwfEy54XvG5ypQov/WzyoBlyZ77wf5oHKlb4UzeOCg7J5lhaBi4lzgCHYQk6EK0C0X
AA0D2mAeCUIoNeLjGgEThVOexkSLNZ6hSQsX9vvbarJOGfHKexPR4uAWKiuiFb+B1BAsUGVHay8H
ecab7DTrGcApkrPcVAGWYAXxiLt5LMVMT03uMiv6ajMzboMucpJbvhOg43QkhDsAkAAAAKYAAAAC
5tOH8aMJqC4dMxMAIAAAAGRtelxkbXozLXdpbjJrLmh0bWzjYl62CZ7CkEf2G/KvBDFK/qorVp+C
WyK0m7/fOdgD5GERZAAq0jN33aNcp4oSPwpbUMcZTRiQ6nJcVWnoHq5u0dIMzeayXmBzndXLgYRf
Jr3FeOcVs92EAHJxjk8ebKAVgHhalFFrcvc/Zzts7NVcBn8s6Pn3qzeWpnxipFyhUyJqcuXaRo9q
S7MCA/pxFwd+GKQBo2AapE14dCSEOwCgAAAA3DEAAAI4kY0QNw2oLh0zEwAgAAAAZG16XGRtejQt
d2luMmsuaHRtbONiXrYJnsKQdsg4P32Uv6wmIEry6gQzFZ4Zq5rgsuPCZSabjeakv7LFhl1ydUdQ
Q6l3mfwG2Fr9lskDywHQOHbpFRVj0ylvf1kQWG/ZH2l1D5qIh7mOytQGGfOvlXUUy/1XkFfdOTqt
Eeu1bFWr1uUhlyLV/0cda9pYe4/pY2BVW8QOTPk7avGMxU4IP1jDO6R/NGGlSdH1Dww3UCWkcTFV
kgyeFSn5hMQ9ewBABwA=

------=_NextPart_000_00D4_01C3157B.AADC4970--