RE: Internet explorer .clsid vulnerability

["Thor Larholm" <thor () pivx com>]

This is actually a behavior that is part of Windows Explorer, not
Internet Explorer. I think we have covered this in the past on lists as
well. If it is not already documented somewhere it should be, as this is
how Windows file queries (inside IE) are performed on the local file
system.

Basically, you must first circumvent security zone restrictions and gain
access to execute HTML files from the local file system in the first
place before this is an issue. At this time, it is much more interesting
to use your newly gained privileges to plant an EXE file and execute it
instead of just launching the already installed applications.

When your HTML document is opened from the local file system, it's
working directory is C:\DIR\test.html ( equivelant to the URL
FILE://C:/DIR/test.html ). If you click on a link to "XX" from here or
have it open automatically through an iframe, the browser asks for
FILE://C:/DIR/XX ( "XX" through the FILE protocol from the C:/ host in
the DIR directory ).

In this case, we are asking the browser to retrieve
"FILE://C:/DIR/Roozbeh.{3E9BAF2D-7A79-11d2-9334-0000F875AE17}". IE
queries
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints\C to
see if the Host is known (btw, all temporary NetBIOS sessions are stored
here as integers, my currently open share in the dirty network to
\\someserver\c$ is labelled 6 instead of C). It then checks both HKCU
and HKCR in order for instances of that GUID and eventually finds
"C:\PROGRA~1\NETMEE~1\conf.exe" in
HKCR\CLSID\{3E9BAF2D-7A79-11d2-9334-0000F875AE17}\LocalServer32\(Default
) which it then launches. 

You can see this entire registry brawl at
http://jscript.dk/2004/5/clsid.regmon.log

If you try to test your POC from an Internet or Intranet site you will
see that the browser simply asks for a document on the server and in
return gets a 404 Not Found.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>


-----Original Message-----
From: roozbeh afrasiabi [mailto:roozbeh_afrasiabi () yahoo com] 
Sent: Thursday, May 20, 2004 3:52 PM
To: bugtraq () securityfocus com
Subject: Internet explorer .clsid vulnerability
<snip>

<a href=Roozbeh.{3E9BAF2D-7A79-11d2-9334-0000F875AE17}>dose not
exist!</a>

<snip>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html