FW: IE 5 and Access 2000 vulnerability - executing programs

[jjohanss () BU EDU (Jesper M. Johansson)]

> Sorry Georgi, but I get warnings and errors from your example. The first of
> which is: "You don't have a source code control program (such as Microsoft
> Visual SourceSafe) installed on your machine.

I can't replicate that. I recoded the exploit for WinNT and to take out the
warning. I tried it both on a system that has VSS and one that doesn't (but
only with my recoded exploit) and it works fine.

> Access is trying to start wordpad.exe

This is hard-coded into the exploit. I just recoded it and took that out.
Works like a charm!

> which (when I click ok) returns an error : "Invalid procedure call or
argument".

It should say "file not found." Again, yes, the sample is specifically
designed for Win98. Wordpad does not exist in that location on NT 4 or 5.
However, after I recoded the exploit to work on Winnt, it works silently,
and without needing VSS installed. This is REALLY dangerous.

I also discovered a serious problem here. I have IE set to prompt on running
ActiveX controls. It does prompt me; but not until AFTER it already
downloaded and opened the Access database. Even disabling ActiveX controls
altogether does not solve this! Disabling Active Scripting does not help
either. Let me put this another way: there appears to be no way to use the
security settings in IE to guard against this problem!

Jesper M. Johansson