Bugtraq mailing list archives
Re: MICROSOFT SECURITY FLAW?
From: http-equiv () excite com (http-equiv () excite com)
Date: Sun, 4 Jun 2000 20:20:26 -0700
On Thu, 18 May 2000 16:45:20 -0400, Russ wrote: | Simply modifying your Outlook (98/2000/OE 5.0) Security setting to | "Restricted Sites" shuts this down clean. The ActiveX control cannot be | invoked and the user does not have an option to by-pass the security (and no | files, .chm or .exe, are copied down). | | Microsoft's "Outlook Email Security Update" will do this automatically when | its released and applied. Meanwhile, anyone who hasn't already realized | their Outlook Security should be set to "Restricted Sites" deserves more | than an oolala and a joke...;-] | | Cheers, | Russ - NTBugtraq Editor | "dot-age" (as in "we're in the dot-age") = senility (source Webster's) Sunday, June 4, 2000 Thanks your message: It would appear that setting the so-called Security Zone to "Restricted Sites" does indeed shut it down quite efficiently. This is owing to the delivery of the file via ActiveX controls which is disallowed. However, there is a good possibility that the "Restricted Sites" Zone can be defeated. Consider the following: 1. It is understood that the so-called Security Zone settings are only applied to files that are in the Temporary Internet Files folder. It assumes that all other files on the computer are safe. 2. If that is the case, in order to defeat the so-called Security Zone settings, we would need to place our files on the target computer anywhere except the Temporary Internet Files folder. Can we do that? (a) IE5 and accompanying mail and news client can do this for us. Through them we can inject our files into the temp folder for later retrieval. How so? (b) manufacture the file that you wish to place in the target computer's temp folder. This can be a simple combination ActiveX and ActiveScripting file which we would like to trigger later, or an elaborate "Silent delivery and installation of an executable on a target computer" file as detailed in this thread. (c) run the file through the mail or news client effectively embedding it in base64. Thereafter save the file as either *.nws, *.eml or *.mhtml. (d) we then create a second new html email or html news post and embed the file that we want to deliver, in it. We do this by creating a simple html frameset and embed the file to be delivered in that: <frameset rows="10%,*"> <frame src="FILE_TO_BE_DELIVERED.MHTML" > </frameset> (e) we then run this combination of files through the mail or news client and effectively embed both in base64. What will happen? When the combination file is opened, it will read the embedded file contained within it, through the frames and deposit the file, with full name intact, into the c:/windows/temp folder, where we can call it later. From this location we are out of the so-called Security Zone and can do as we please. But ActiveScripting is Disabled? In the second file, along with the html frameset we include the very simple HTTP-EQUIV meta tag known as refresh. <meta http-equiv="refresh"content="30; url=mhtml:file://C:\WINDOWS\TEMP\k00l.mhtml"> What happens is because the file we are calling is located in the c:/windows/temp folder, we are inside (or outside) any setting of the so-called Security Zones. The browser will bounce to our file in the temp folder and open it locally. Our file in the temp folder can contain all sorts of goodies including "Silent delivery and installation of an executable on a target computer". As we are now local, anything and everything will work, including all ActiveScripting and all ActiveX controls. The following set of working examples include just that. The first incorporating an executable (*.exe), the second containing nothing more than ActiveScripting and an ActiveX control. These have been tested on IE5.0 and IE5.1 (both updated with all security patches as of time of writing) with everything disabled in the so-called Security Zone including ActiveScripting, running of ActiveX controls etc. Every possible selection under Custom Level set to: DISABLE [IE5.5 being beta fails. However it raises other curious possibilities when it is released] Important Notes: 1. The working examples below represent a generic and diluted approach in order to keep things simple. 2. The meta refresh tag doesn't work from inside the html email or html news post. There is a workaround for that. It does of course work in the browser. 3. There is the limitation of having a setTimeout independent of the ActiveScripting in the files via the meta refresh tag as it could fire before the files have been delivered. 4. The file name references appear to be extremely sensitive, the examples should work 99.99% of the time. 5. Again it requires a default installation of Windows 95 and 98 where the temp folder is c:/windows/temp. Working Examples: 1.The first example incorporates a different harmless joke program. It is quite popular and has not too long ago been added to several Anti-Virus databases (or signature files). There is a good possibility that your Anti-Virus software will disallow the "Silent delivery and installation of an executable on a target computer" for that reason. There is an even better chance it will not even know what is happening. This working example is set to an unnecessary lengthy delay to allow for download on feeble i-connections. The delay is 30 seconds: http://members.xoom.com/malware/0uch.mhtml 2. The second is a whimsical example of pure text containing ActiveScripting and a pre-registered ActiveX control, you'll find the operation of the ActiveX control in the main browser window and you won't miss the operation of the ActiveScripting. note: it is suggested not to test this one if you do not know how to reset your browser: http://members.xoom.com/malware/k00l.mhtml | _______________________________________________________ Get 100% FREE Internet Access powered by Excite Visit http://freelane.excite.com/freeisp
Current thread:
- Re: MICROSOFT SECURITY FLAW? http-equiv () excite com (Jun 04)