Bugtraq mailing list archives
Addendum Re: Internet Explorer Pop-Up OBJECT Tag Bug
From: the Pull <osioniusx () yahoo com>
Date: Wed, 16 Jan 2002 10:32:01 -0800 (PST)
Pop-Up Bug Notes First, adding an addendum about the bug which Dave Ahmad discovered: This can be used with the window object as well, when setting the document body's innerHTML property and using method "window.open()". This information has been forwarded to the vendor. Secondly, there are a number of issues about this bug which I go into below. I do not believe I am in error, if I am feel free to point it out to me: By itself it is a violation of a basic security principle (that remote, malicious users should not be able to control the execution of software). What sort of exploits it would work with, otherwise (Least to worst): ->It is a DoS ->User's can be tricked to manipulating their own programs because the pop-up object allows for obscuring dialogs, according to Guninski's Oct bug on the object which still works after all tests. -> Code can normally be executed in the Codebase tag, if code can be executed within this object it could be dangerous. (See below). -> If it is found that a parameter can be passed either through the PARAM tag or through url wrangling such as with the "telnet:%20-f" bug, then a remote user could take total control of the system. They could format the disk, use the command prompt to download and execute trojans, etc. -> The object is being executed in My Computer security zone, ie, the codebase problem is a Microsoft "feature", it just should only work in My Computer Zone -- not remotely. This can be tested by seperating the object from the script and viewing the page remotely versus on My Computer. Some of the problems with this: Internet - Default Settings Download signed Activex controls - Prompt Download unsigned Activex controls - Disable Initialize and script Activex controls Not Marked As Safe for Scripting - Disable Java Permissions - High Safety My Computer - Default Settings Download signed Activex controls - Enable Download unsigned Activex controls - Enable Initialize and script Activex controls Not Marked As Safe for Scripting - Prompt Java Permissions - Medium Safety This means you could just sign your activex and have it set itself "Safe for Scripting" and it will do so without a prompt. Signing activex is relatively inexpensive and there are no checks done on the code. I am not sure how Java could be used with this, I haven't played with the settings enough. However, the object tag is used for applets now according to the w3c standards. --- the Pull <osioniusx () yahoo com> wrote:
Internet Explorer Pop-Up OBJECT Tag Bug Class: Failure to Handle Exceptional Conditions Remote: Yes Local: Yes Found: January 10, 2001 Severity: Moderate Vulnerable: IE 6.0.2600.0000 + Windows 2000 Update Versions: Q312461; Q240308;Q313675 Discussion: The PopUp object allows the insertion of embedded objects; they run in a high privilege space allowing the execution of local applications remotely. (Using the codebase tag, courtesy of Dildog and Microsoft). Caveats, Notes: Under initial testing scripting was not possible in the popup object, nor could I pass parameters to the executables. Regardless, there may be more dangerous examples of code being put within the popup object as it seems to do almost no internal checking at all. Exploits: http://www.osioniusx.com "funRun.html" - This page shows how you can run just about anything you want on a Windows system remotely from IE if it is on the user's system. I have included in it two sections: one section demonstrating running applications through the popup object; the second section demonstrating opening up control panels and the like from the earlier released bug "directoryInfo.html", ie the "file://::{CLSID}" feature of IE. Potential Solution: Fix required on the popup object. Workaround Suggestions: Disable ActiveScripting, use Netscape on untrusted sites, browse trusted sites only, do not allow ActiveScripting to be parsed in emails or newsposts Vendor Status: Emailed "Secure () microsoft com" Disclosure Policy: I am not opposed to more warning for advisories and decide on that on a case by case situation. See Also, FullDisclosure.txt. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
__________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Current thread:
- Internet Explorer Pop-Up OBJECT Tag Bug the Pull (Jan 14)
- Addendum Re: Internet Explorer Pop-Up OBJECT Tag Bug the Pull (Jan 16)