Re: [security] What A Click! [Internet Explorer]

[Lance James <lancej () securescience net>]

yossarian wrote:

> There is an easy trick to avoid a .HTA related 'thingie' such as this
> one: tell your windows to open .HTA files in notepad.  It broke the
> beautifull PoC I guess, had it in place as long as this particular
> machine (2 years or so), it never broke anything before.



Is there a method of sandboxing the .HTA files? I mean, everything web,
should stay web?

> Second hint for people protecting lusers: design a nice corporate
> colors standard theme and disable the standard theme. Exit this kind
> of attack (since there are more ways to cover windows with malicious
> lookalikes).
>
> regards,
>
> yossarian
>
> ----- Original Message ----- From: "mikx" <mikx () mikx de>
> To: <full-disclosure () lists grok org uk>
> Cc: <bugtraq () securityfocus com>
> Sent: Tuesday, January 24, 2006 8:06 PM
> Subject: [security] What A Click! [Internet Explorer]
>
>
> > It's now almost 18 months ago that i posted my first security
> > advisory "What A Drag! -revisited-", seems to be a good time to post
> > "What A Click!".
> >
> > Both bugs had about the same exploit potential, but i assume this one
> > will have far less impact and media response (which i consider a
> > great thing for various reasons). Thanks to everybody who researched,
> > worked, chatted, discussed and got drunk with me in the last months
> > to make this change happen - you know who you are.
> >
> > __Summary
> >
> > Using custom Microsoft Agent characters it is possible to cover any
> > kind of windows, including security or download dialogs. This is an
> > expected feature of the Microsoft Agent control. To quote the product
> > homepage: "Animations are drawn on top of any underlying application
> > window, characters are not bounded within their own, separate window"
> > (http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom
> > characters can be created with tools downloadable from that homepage.
> >
> > Because custom characters are fully scriptable, can have any kind of
> > shape and are downloaded automaticly, this can be used as a flexible
> > tool to cover and/or spoof any kind of window and lure the user to
> > execute arbitrary code by performing one or two clicks (depening on
> > security zone configuration and Windows version).
> >
> > __Proof-of-Concept
> >
> > http://www.mikx.de/fireclicking/
> >
> > The PoC is designed for Internet Explorer 6 on Windows XP SP2 in
> > Windows classic theme. By clicking on the button in the upper left
> > corner you start the download of a hta file. The download dialog gets
> > covered by a Microsoft Agent character which fakes a button (basicly
> > a large white image with a button border in the middle). Move the
> > character by dragging to see how it uses a "transparent spot" to make
> > room for clicking on the underlying dialog through the button space.
> > Transparent areas in characters are really "not there", meaning you
> > can click through them.
> >
> > When you click that button you execute arbitraty code in the hta
> > file, in this case you create the folder "c:\booom!". The button in
> > the upper left corner is only need to get around the "drive by
> > download" protection of Windows. When this protection is not in place
> > (e.g. on Windows 2000) this PoC could be reduced to a single click
> > interaction to execute arbitrary code.
> >
> > __Status
> >
> > The bug got fixed as part of the Microsoft Security Bulletin MS05-032
> > (yeah, last summer).
> >
> > The patch adds an additional security dialog before loading a custom
> > agent character. Be aware that in trusted zones that dialog might not
> > raise.
> >
> > 2004-10-04 Vendor informed
> > 2004-10-06 Vendor opened case, could not repro
> > 2004-10-06 Vendor got new testcase
> > 2004-10-12 Vendor confirmed bug
> > 2005-06-14 Vendor relased patch and advisory
> > 2006-01-22 Public disclosure
> >
> > __Affected Software
> >
> > Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003
> > with different severity. See Microsoft Security Bulletin MS05-032 for
> > details.
> >
> > __Contact
> >
> > Michael Krax <mikx () mikx de>
> > http://www.mikx.de/
> >
> > mikx
> >
> >
> > _______________________________________________
> > Get your free port scan here: http://www.seifried.org/freescan2/
> >
> > security mailing list
> > security () lists seifried org
> > https://lists.seifried.org/mailman/listinfo/security 


-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/