Re: Internet Explorer JavaScript insecure function

[npguy <npguy () websurfer com np>]

Hi freebrain,

exploit not working in  ie6.
urs `Proof of concept` require `applet`
in html. could u please post an html?


Sunday, December 7, 2003, 8:41:57 PM, you wrote:


F> * Internet Explorer JavaScript insecure function * 


F> Product: Microsoft Internet Explorer
F> Version: 5.x (probabily other versions may be affected) 


F> *** 


F> Problem: 

F> I discovered a javascript function (interpreted by Internet Explorer) called
F> "file.writeline()" may be
F> potentially dangerous for Internet Explorer users. This function allows to
F> write files  by means of
F> JavaScript on a hard disk. 

F> An attacker may use this function writting JavaScript code in posts of
F> forums, guestbooks, etc  for owning
F> his victim's computers. With "file.writeline()" function the attacker can
F> write trojans/virus/etc on his
F> victim's hard disks, for example, an attacker may use JavaScript 
F> "file.writeline()" function for writting
F> a malicious file in VBS (Visual Basic Scripting) language. 

F> I repeat, this may be potentially dangerous for Internet Explorer users.

F> NOTE: Actually a virus in the wild that affects to mIRC users is using this
F> function ("file.writeline"). 

F> NOTE2: As you can see on the "Proof of concept", other functions are needed
F> to carry out an "intrusion". 


F> *** 


F> Proof of concept: 

F> InterfaceObject=document.applets[0];
F> setTimeout("Write()",1000);
F> function Write() {
F> fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}";
F> InterfaceObject.setCLSID(fsoClassID);
F> fso = InterfaceObject.createInstance();
F> // windir = fso.getspecialfolder ;
F> filename = "\\proof.txt";
F> var filecontent = "Hello world";
F> file = fso.opentextfile(filename, "2", "TRUE");
F> file.writeline(filecontent)
F> file.close(); 

F> } 

F> This code writes a file called "proof.txt" in the hard disk, with the
F> content "Hello world". Also you can
F> execute files you write by means of JavaScript adding "Run();" to the
F> function. 


F> *** 


F> Solution: 

F> I'm not sure about the solution but I recommend to upgrade to the last
F> version of Internet Explorer.
F> Also I recommend webmasters to forbid HTML codes that content this function
F> in their forums, guestbooks, etc. 


F> *** 


F> Thanks to: 

F> #disidents,#hackers,#hacker @ irc-phoenix.org 

F> #disidents,#sleepx,#ayuda_internet @ irc-hispano.org 

F> Special thanks go to: Impos, |_Tr0mP4s 

F> (sorry my poor english) 


F> *** 


F> By FREEBRAIN 

F> FREEBRAIN is a member of DisidentS Hacker Team 

F> http://disidents-team.cjb.net (under construction) - 
F> http://www.gratisweb.com/disidents 

F> <freebrain () unionnewbies net> ( www.unionnewbies.net )