Addendum Re: Internet Explorer Pop-Up OBJECT Tag Bug

[the Pull <osioniusx () yahoo com>]

Pop-Up Bug Notes

First, adding an addendum about the bug which Dave
Ahmad
discovered: 

This can be used with the window object as well, when
setting the document body's innerHTML property and
using method "window.open()".

This information has been forwarded to the vendor.

Secondly, there are a number of issues about this bug
which I go into below. I do not believe I am in error,
if
I am feel free to point it out to me:


By itself it is a violation of a basic security
principle (that remote, malicious users should not be
able to control the execution of software).

What sort of exploits it would work with, otherwise
(Least to worst):

->It is a DoS

->User's can be tricked to manipulating their own
programs because the pop-up object allows for
obscuring dialogs, according to Guninski's Oct bug on
the object which still works after all tests.

-> Code can normally be executed in the Codebase tag,
if code can be executed within this object it could
be dangerous. (See below).

-> If it is found that a parameter can be passed
either through the PARAM tag or through url wrangling
such as with the "telnet:%20-f" bug, then a remote
user could take total control of the system. They
could format the disk, use the command prompt to
download and execute trojans, etc.

-> The object is being executed in My Computer
security zone, ie, the codebase problem is a Microsoft
"feature", it just should only work in My Computer
Zone -- not remotely. 

This can be tested by seperating the object from the
script and viewing the page remotely versus on My
Computer.

Some of the problems with this:

Internet - Default Settings

Download signed Activex controls - Prompt
Download unsigned Activex controls - Disable
Initialize and script Activex controls Not Marked As
Safe for Scripting - Disable
Java Permissions - High Safety

My Computer - Default Settings

Download signed Activex controls - Enable
Download unsigned Activex controls - Enable
Initialize and script Activex controls Not Marked As
Safe for Scripting - Prompt
Java Permissions - Medium Safety

This means you could just sign your activex and have
it set itself "Safe for Scripting" and it will do so
without a prompt. Signing activex is relatively
inexpensive and there are no checks done on the code.

I am not sure how Java could be used with this, I
haven't played with the settings enough. However, the
object tag is used for applets now according to the
w3c standards.



--- the Pull <osioniusx () yahoo com> wrote:
> Internet Explorer Pop-Up OBJECT Tag Bug
>
> Class: Failure to Handle Exceptional Conditions
> Remote: Yes
> Local: Yes
> Found: January 10, 2001
> Severity: Moderate
> Vulnerable: IE 6.0.2600.0000
> + Windows 2000 Update Versions: Q312461;
> Q240308;Q313675
>
>
>
>
> Discussion: The PopUp object allows the insertion of
> embedded objects; they run in a high privilege space
> allowing the execution of local applications
> remotely.
> (Using the codebase tag, courtesy of Dildog and
> Microsoft).
>
> Caveats, Notes: Under initial testing scripting was
> not possible in the popup object, nor could I pass
> parameters to the executables. Regardless, there may
> be more dangerous examples of code being put within
> the popup object as it seems to do almost no
> internal
> checking at all.
>
> Exploits: http://www.osioniusx.com
>
> "funRun.html" - This page shows how you can run just
> about anything you want on a Windows system remotely
> from IE if it is on the user's system. I have
> included
> in it two sections: one section demonstrating
> running
> applications through the popup object; the second
> section demonstrating opening up control panels and
> the like from the earlier released bug
> "directoryInfo.html", ie the "file://::{CLSID}"
> feature of IE.
>
>
> Potential Solution: Fix required on the popup
> object.
>
> Workaround Suggestions: Disable ActiveScripting, use
> Netscape on untrusted sites, browse trusted sites
> only, do not allow ActiveScripting to be parsed in
> emails or newsposts
>
> Vendor Status: Emailed "Secure () microsoft com" 
>
> Disclosure Policy: I am not opposed to more warning
> for advisories and decide on that on a case by case
> situation. See Also, FullDisclosure.txt.
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/