Re: [security] What A Click! [Internet Explorer]

[yossarian <yossarian () planet nl>]

HTA runs applications from HTML documents. Like I mentioned, never broke 
anything in my experience. And yes, I sometimes develop stuff on this old 
windows box, including webstuff. HTA is a MS invention,  Firefox has 
followed. But the main thing HTA has been, and IMHO will remain, is a 
security flaw.

A lengthy quote <quote> HTAs are Windows applications that can access and 
use ActiveX components, COM objects, the Windows Scripting Host and 
scripting languages, to form easy to develop and maintain, yet powerful 
solutions for business and personal tasks. The simplest of all HTA 
applications can be created and executed by making a blank text file on your 
desktop and giving it an ".hta" extension then clicking its icon. Although 
the main window of an HTA is technically Internet Explorer, the window that 
appears has no default menu, toolbar or status bar. These "child windows" 
however can be created for your HTA by using DHTML and scripting so that 
your HTA looks like a normal Windows application. You can even create a 
library of HTCs, or Hypertext Components, to act in place of the Windows 
Common Control Library."</quote> See, ideal for popups and tons of yet to be 
discovered nasty things. Never had an active scripting host, and that had 
also never had an adverse effect.

'Everything web' includes worms, spyware and the like. Dunno, I prefer my 
web a bit cleaner. Sandboxing is possible, just like anything web, by 
running the browser in a citrix or terminal server box. They, being windows, 
based might be compromised as well, so maybe a better idea is to run a java 
based browser in a JVM and have it over with, use something like JREX or 
Opera.  If corporate, you might prefer server side java.. Run the JVM on a 
tomcat or websphere on nix or even use the old big iron, open a sandboxed 
browser in a normal browser.....  et voila, a sandboxed browser. Some say 
Tarantella might do the trick neatly, have not looked into that yet.

regards

Yossarian

----- Original Message ----- 
From: "Lance James" <lancej () securescience net>
To: "yossarian" <yossarian () planet nl>
Cc: <full-disclosure () lists grok org uk>; <bugtraq () securityfocus com>
Sent: Friday, January 27, 2006 8:22 PM
Subject: Re: [security] What A Click! [Internet Explorer]


> yossarian wrote:
>
> > There is an easy trick to avoid a .HTA related 'thingie' such as this
> > one: tell your windows to open .HTA files in notepad.  It broke the
> > beautifull PoC I guess, had it in place as long as this particular
> > machine (2 years or so), it never broke anything before.
>
>
>
> Is there a method of sandboxing the .HTA files? I mean, everything web,
> should stay web?
>
> > Second hint for people protecting lusers: design a nice corporate
> > colors standard theme and disable the standard theme. Exit this kind
> > of attack (since there are more ways to cover windows with malicious
> > lookalikes).
> >
> > regards,
> >
> > yossarian
> >
> > ----- Original Message ----- From: "mikx" <mikx () mikx de>
> > To: <full-disclosure () lists grok org uk>
> > Cc: <bugtraq () securityfocus com>
> > Sent: Tuesday, January 24, 2006 8:06 PM
> > Subject: [security] What A Click! [Internet Explorer]
> >
> >
> > > It's now almost 18 months ago that i posted my first security
> > > advisory "What A Drag! -revisited-", seems to be a good time to post
> > > "What A Click!".
> > >
> > > Both bugs had about the same exploit potential, but i assume this one
> > > will have far less impact and media response (which i consider a
> > > great thing for various reasons). Thanks to everybody who researched,
> > > worked, chatted, discussed and got drunk with me in the last months
> > > to make this change happen - you know who you are.
> > >
> > > __Summary
> > >
> > > Using custom Microsoft Agent characters it is possible to cover any
> > > kind of windows, including security or download dialogs. This is an
> > > expected feature of the Microsoft Agent control. To quote the product
> > > homepage: "Animations are drawn on top of any underlying application
> > > window, characters are not bounded within their own, separate window"
> > > (http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom
> > > characters can be created with tools downloadable from that homepage.
> > >
> > > Because custom characters are fully scriptable, can have any kind of
> > > shape and are downloaded automaticly, this can be used as a flexible
> > > tool to cover and/or spoof any kind of window and lure the user to
> > > execute arbitrary code by performing one or two clicks (depening on
> > > security zone configuration and Windows version).
> > >
> > > __Proof-of-Concept
> > >
> > > http://www.mikx.de/fireclicking/
> > >
> > > The PoC is designed for Internet Explorer 6 on Windows XP SP2 in
> > > Windows classic theme. By clicking on the button in the upper left
> > > corner you start the download of a hta file. The download dialog gets
> > > covered by a Microsoft Agent character which fakes a button (basicly
> > > a large white image with a button border in the middle). Move the
> > > character by dragging to see how it uses a "transparent spot" to make
> > > room for clicking on the underlying dialog through the button space.
> > > Transparent areas in characters are really "not there", meaning you
> > > can click through them.
> > >
> > > When you click that button you execute arbitraty code in the hta
> > > file, in this case you create the folder "c:\booom!". The button in
> > > the upper left corner is only need to get around the "drive by
> > > download" protection of Windows. When this protection is not in place
> > > (e.g. on Windows 2000) this PoC could be reduced to a single click
> > > interaction to execute arbitrary code.
> > >
> > > __Status
> > >
> > > The bug got fixed as part of the Microsoft Security Bulletin MS05-032
> > > (yeah, last summer).
> > >
> > > The patch adds an additional security dialog before loading a custom
> > > agent character. Be aware that in trusted zones that dialog might not
> > > raise.
> > >
> > > 2004-10-04 Vendor informed
> > > 2004-10-06 Vendor opened case, could not repro
> > > 2004-10-06 Vendor got new testcase
> > > 2004-10-12 Vendor confirmed bug
> > > 2005-06-14 Vendor relased patch and advisory
> > > 2006-01-22 Public disclosure
> > >
> > > __Affected Software
> > >
> > > Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003
> > > with different severity. See Microsoft Security Bulletin MS05-032 for
> > > details.
> > >
> > > __Contact
> > >
> > > Michael Krax <mikx () mikx de>
> > > http://www.mikx.de/
> > >
> > > mikx
> > >
> > >
> > > _______________________________________________
> > > Get your free port scan here: http://www.seifried.org/freescan2/
> > >
> > > security mailing list
> > > security () lists seifried org
> > > https://lists.seifried.org/mailman/listinfo/security
>
>
> --
> Best Regards,
> Lance James
> Secure Science Corporation
> www.securescience.net
> Author of 'Phishing Exposed'
> http://www.securescience.net/amazon/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/