(More Exploit Code is Available) Microsoft IE AnchorClick Behavior and HTML Help Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1012342
|
|
SecurityTracker URL: http://securitytracker.com/id?1012342
|
|
CVE Reference: CAN-2004-0985
(Links to External Site)
|
|
OSVDB Reference: 10991
(Links to External Site)
|
Date: Nov 28 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 6.0 SP2
|
Description: A vulnerability was reported in Microsoft Internet Explorer (IE) in the 'AnchorClick' behavior. A remote user can create HTML that, when loaded by the target user, will execute arbitrary code in the Local Computer zone.
http-equiv reported that a remote user can create HTML containing an AnchorClick behavior to silently open a known directory on the
target system (using the Shell.Explorer ActiveX object) and also containing a specially crafted image that, when dragged by the
target user to the previously mentioned window, will cause the image file to be written to the target user's computer in a known
location.
It is reported that only certain document types can be used in this type of drag and drop exploit, including '.xml',
'.doc', '.py', '.cdf', '.css', '.pdf', '.ppt' and others. So, the specially crafted image file must emulate one of these formats,
as IE will attempt to determine the content type if the extension is missing.
Then, the HTML can invoke HTML Help (hh.exe) with
an invalid window to cause HTML Help to load the image file (which actually contains HTML scripting code). The HTML scripting code
can then retrieve an arbitrary text file from a remote location and write it to an '.hta' file on the local computer. Then, the
contents of the '.hta' file can be executed.
A demonstration exploit is available at:
http://www.malware.com/noceegar.html
Paul
at Greyhats Security Group provided a demonstration exploit, available at:
http://freehost07.websamba.com/greyhats/longnamevuln.htm
|
Impact: A remote user can execute arbitrary code in the Local Computer zone on the target user's system.
|
Solution: No solution was available at the time of this entry.
PivX reports that you can set the Kill Bit on the Shell.Explorer ActiveX
object to prevent IE from referencing local directories in a window object. PivX Labs has released a registry fix to set the Kill
Bit on Shell.Explorer, available at:
http://www.pivx.com/research/freefixes/neutershellexplorer.reg
|
Vendor URL: www.microsoft.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Underlying OS Comments: XP SP2 is affected
|
Reported By: Paul <paul@greyhats.cjb.net>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: 27 Nov 2004 23:22:48 -0000
From: Paul <paul@greyhats.cjb.net>
Subject: Microsoft Help ActiveX Control Related Topics Local Content
|
Greyhats Security Group is back and we're ready to kick the crap out of sp2 :). Looks like all the vu
lnerabilities previously posted
by us have been patched. Good work, Microsoft. We're not through yet, though. Here's proof that no m
atter how many millions of dollors
you spend on security, there will always be things you missed.
Btw, I codenamed this LongNameVuln because its a lot easier to remember then Help ActiveX Control Rel
ated Topics Local Content Accessing
Vulnerability :)
[Tested]
IEXPLORE.EXE file version 6.0.2900.2180
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP Home SP2
[Discussion]
Recently, a security professional aliased http-equiv (malware.com) found a vulnerability in Microsoft
's new Service Pack (SP2). What
was required to compromise the victim's machine was the dragging of an specially-crafted into a fold
erview window, and then the clicking
of a button. LongNameVuln is a more efficient way of acheiving this common goal of compromising the
system. It removes the extra
step of having to click a button in order to access a page on the local machine. It can be done easi
ly. Using the Related Topics
command of Microsoft's Help ActiveX Control, any page can be loaded into a target frame. Unfortuneat
ly, only addresses that actually
point to a location can be used. This does not include protocols such as javascript and vbscript. Ho
wever, we can still break out
of the Internet Zone and open up a page in the local zone. That is what this vulnerability achieves.
The example shows the picture of a garden which includes a carrot. Dragging the carrot to the bottom
frame in the browser (set up
to be the outside of the garden) will copy a file to PCHealth directory in C:\windows, which will th
en be launched, creating another
file in the same directory called Greyhats.hta, which must be launched manually. The directory could
easily be changed to shell:startup,
however this is not necissary for this example. This is the same payload as given in NoCeegar on mal
ware.com because my server doesn't
have the capabilities to host the payload file like malware.com does :).
View the example at http://freehost07.websamba.com/greyhats/longnamevuln.htm
Greets to
http-equiv
Micheal Evanchik
|
|
