Re: IE 5.0 allows executing programs

[bronek () WPI COM PL (Bronek Kozicki)]

> This would probably work on NT machines if in the code the path referenced
> pointed at the startup directory of an existing NT profile.  Unfortunately
> it's impossible to guess the username of the currently logged on user, and
> if you go with something "safe" (i.e. relatively likely to exist) like the
> AllUsers profile, you should get blocked from doing that if
> permissions are

I tried slightly changed script from Guninski's page on my WinNT desktop,
and it appears that file can be put in the directory by using name relative
to the current directory (which - in my test - was desktop). You do not need
to know Windows installation directory, nor user name. Using
scr.Path="..\\Start Menu\\Programs\\Startup\\guninski.hta"; will do the
trick. Because file is placed in user's profile, NTFS permissions will
(usually - when user has right to manage his/her startup folder) does not
give you any protection .

> This only reaffirms my opinion that anyone who wishes to do
> something simple
> when setting up a machine the first time to greatly protect themselves,
> should simply change the name of their windows directory.

Not in this case, as you see above. Also - IF it would possible to resolve
environment variables from within script, using this or another "secure"
object, no matter where you place your files. But it's just thery - waiting
for another security flawn in another (or the same) "trusted" ActiveX
object.

> Also, I don't know fully how peravsive this exploit is, but if it
> is capable
> of creating .bat filess, interresting things may be thought to happen if
> instead of the path written in the exploit, one were to instead overwrite
> c:\autoexec.bat.  C:\ is a pretty safe path to guess.

Due to junk placed on the beginning of file, .BAT will not work. The same
about most of the formats. But .HTA file works pretty nice, and it has more
power than .BAT - because it can use VBScript or JavaScript with any object
desired (like FileSystemObject or Shell) without warning. One alarming thing
user will see is Internet Explorer window popping up when he/she logs on ,
filled with junk. But it's too late - script is already running. What's
really scary to me is the ability to write .HTA file in user's directory by
_mail_ (probably _newsgroup_post_ as well) written in HTML and opened in
Outlook. I tried it with MS Outlook 98: current directory was desktop, so
you can use the very same path "..\\Start Menu ...." to put .HTA file in
user's StartUp menu. Of course, there is very simple way to protect against
malicious email messages: set "Security" to "restricted sites".

Last thing to point is that StartUp folder is executed when user log's on,
NOT when he/she is restarting computer, and that (in most Windows NT domain
networks) this directory is "replicated" through roaming profile.

Regards

Bronek Kozicki

PS. sorry for my poor English