TUCoPS :: Browsers :: bt151.txt

Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! CRITICAL

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Systems Affected : Internet Explorer 6.0.2800 (6.x?)
Remotely exploitable: Yes
Author: Marek Bialoglowy (System Integra - mb@systemintegra.com)
Attached files: dmz2.rar (archive password:zones)

Note: This is part of my research and the purpose of this post is to consult
results and potential vulnerability with the wider group of security


# Introduction

I've found some sample VB script created by person using nickname 'netric'
and creating large number of FRAMES in Internet Explorer and mass executing
'telnet://www.microsoft.com:80' requests. I believe this dangerous VBS
scripts is known to everyone already (AVP recognizes it as
Trojan.VBS.IFram). Well, I believe it is right moment to inform Bugtraq
about some potential critical vulnerability in Internet Explorer version 6
(maybe 5.5 also ?), which used together with this script (version modified
by me: dmz2.html file) could provide easy way to intrude large number of
workstations on LAN. I've found this security problem while doing research
on techniques of delivering passive Trojans executables trough Outlook
Express and Internet Explorer - anyways very advanced Trojans (project "UTP"
for people familiar with this name).

# Vulnerability

I've noticed that on my test environment it is possible to bypass Internet
Explorer Zones protection by flooding it with large number of file://
requests in example to infected fileserver. The result of this bypass is
EXECUTION OF ANY REQUESTED FILE. My requested file was 'trojan.exe' placed
on neighbour WIN2K Professional workstation. To see code used during the
test check files in attached archive.

On IE 6.0 the result was always the same, after more than 200 dialog boxes
with 'trojan.exe' request, suddenly requested file got executed. For the
purpose of this test I've used two Win2K and WinXP workstations with
Internet Explorer 6.0.2800.1106 (I believe that's most recent version of IE)
and on both workstations opening the 'dmz1.html' file trough LAN share
resulted in executing 'trojan.exe' application. My Internet Security Zone
was set to "MEDIUM".

Internet Explorer 5.x doesn't seam to be vulnerable. I didn't have a chance
to test it on other version of IE 6.x different than 6.0.2800. One person
reported to me that this bug has not affected IE 6.0.2600.

# Exploitation

Well, to make it short: possibility of giving our evil HTML file .jpg
extension, so our "dmz2.html" becomes "photo1.jpg", dramatically increase
scale of the vulnerability. I don't think any Internet Explorer user is
suspecting threat from simple .jpg file ?!? It is also quite hard to stop
all these windows suddenly popping up due to executed VBscript. I believe
people are actually expecting quite high threat from browsing websites (in
this case we can use dmz1.html exploit) using IE and rather don't expect
anything harmful from connecting to http://somewhere.com/pics/photo1.jpg URL
(right?). I will also mention that it requires at least 200 request windows
to pop-up, so if user will kill the iexplorer.exe process before 200
requests will pop-up then attack won't be successful. I think best method of
exploitation is to use VBscript openning the file requests rather than a
single file with requests as SRC of FRAMEs. Presented methods are just few
of many other techniques which which could be used to exploit this

I don't see potential threat coming from Internet, because this little thing
requires executing > 200 windows which will be quite hard on standard
Internet connection. I believe this vulnerability is dangerous mostly on
LAN, oh and certainly it can allow executing any local file from Internet (I
was not able to execute local file on WinXP).

# Solution

Well, wait for patches ? Other browsers are probably not vulnerable (checked
on Opera). You can also set the Security Zone to HIGH.

Oh and the dangerous VBS script is recognized by AVP and some other
antivirus software, so this is already part of the solution.


Anyways, I am waiting for feedback to confirm my results. Thank you.

PS: Regards to segfault.net and "Lam3rz" group for interesting knowledge

Best Regards,

 Marek Bialoglowy (mb@systemintegra.com) Information Security Expert
 PGPkey: http://www.systemintegra.com/pgp/ultor.asc | ID: 0x4B36656E
 JOB: (CTO) System Integra | JKT, Indonesia | Timezone: JAVT, GMT +7

Content-Type: application/octet-stream;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH