Full Disclosure mailing list archives
RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV
From: <tlarholm () pivx com>
Date: Fri, 2 Jan 2004 09:17:25 -0800
Microsoft was not wrong to have HTA, they were wrong to have local security zones in IE. If you take away the My Computer zone in IE you are left with a perfect example of proper sandboxing - the Internet Zone with a small amount of privileges running code automatically and HTML Applictions with full privileges for running unsafe content, the latter requiring complete user consent. The proper way to disable HTA related exploits in IE is to remove the application/hta mime-type, which should never have been put in place to begin with. This also leaves in place the functionality of HTA without the IE attack vector. Opening an HTA from a local file system is the equivelant to opening an EXE file from a local file system, and by removing its mime-type HTA files are treated no differently than EXE files in IE. This is also one of the things we do in Qwik-Fix ;) Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com 949-231-8496 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: Erik van Straten [mailto:emvs.fd.3FB4D11C () cpo tn tudelft nl] Sent: Friday, January 02, 2004 7:03 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV On Thu, 1 Jan 2004 22:41:35 -0000 "http-equiv () excite com" wrote: [snip]
Fully self-contained harmless *.exe: http://www.malware.com/exe-cute-html.zip
[snip] This doesn't look like self-executing HTML - anyway. [Disabling Mshta.exe] Microsoft is _WRONG_ to have HTA interpreted by default, and not even provide an option to disable it. All HTA's I've seen (quite some) were malware. To prevent this particular exploit from running, you may want to delete or rename mshta.exe --At Your Own Risk--. I've done this on all boxes I manage on 20030909 and haven't ran into problems. I've not restored this after applying MS03-040, since lusers will click OK because they don't know what an HTA is. Note: MS03-040 won't block this exploit, and other browsers may invoke mshta.exe. If mshta.exe is also in the DLLCache subdir, you may have to boot safe mode with command prompt, and rename/delete it in both DLLCache and System32. Warning: do not boot Safe Mode With Networking, because then XP-ICF (Internet Connection Firewall) does not run (thanks MS). [Other Attack Vectors] Unfortunately more attack vectors are possible. Please refrain from publishing them, the point was made (you'll be helping "the patch" morons et al, which backfires if they joe-job you or your site). As a test I've just killbitted Shell.Application: ---------- cut here ---------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{13709620-C279-11CE-A49E-444553540000}] "Compatibility Flags"=dword:00000400 "Comments"="Shell.Application kill-bit/killbit 20040102" "Reason#1"="http://seclists.org/lists/fulldisclosure/2004/Jan/0002.html" "Reason#2"="Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV" -------- end cut here -------- Watch out for line wraps; there should be 7 lines. The last 3 lines are optional but help me locate why/what/when. It prevents the exploit, however I don't know what this breaks; if anyone knows, please respond to the list (no metoo's and "use another browser" BS, please). Also: start a new thread+subject if you wish to comment on the ICF issue, portscans, or blah. Happy 04. Erik _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV http-equiv () excite com (Jan 01)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Erik van Straten (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV morning_wood (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Jelmer Kuperus (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Will Image (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV morning_wood (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Thor Larholm (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV morning_wood (Jan 02)
- RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Bojan Zdrnja (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV Erik van Straten (Jan 02)
- <Possible follow-ups>
- RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV tlarholm (Jan 02)
- RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV tlarholm (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV http-equiv () excite com (Jan 02)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV JacK (Jan 03)
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV John Bisley (Jan 05)
- RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV tlarholm (Jan 05)