Re: What A Click! [Internet Explorer]

[Robert Kim Wireless Internet Advisor <evdo.hsdpa () gmail com>]

thx... good point yossarian.

--

Bob Repeater Kim
2611 s Highway 101
Cardiff CA 92007
206 984 0880
http://evdo-coverage.com/cellular-repeater.html

On 1/26/06, yossarian <yossarian () planet nl> wrote:
> There is an easy trick to avoid a .HTA related 'thingie' such as this one:
> tell your windows to open .HTA files in notepad.  It broke the beautifull
> PoC I guess, had it in place as long as this particular machine (2 years or
> so), it never broke anything before.
>
> Second hint for people protecting lusers: design a nice corporate colors
> standard theme and disable the standard theme. Exit this kind of attack
> (since there are more ways to cover windows with malicious lookalikes).
>
> regards,
>
> yossarian
>
> ----- Original Message -----
> From: "mikx" <mikx () mikx de>
> To: <full-disclosure () lists grok org uk>
> Cc: <bugtraq () securityfocus com>
> Sent: Tuesday, January 24, 2006 8:06 PM
> Subject: [security] What A Click! [Internet Explorer]
>
>
> > It's now almost 18 months ago that i posted my first security advisory
> > "What A Drag! -revisited-", seems to be a good time to post "What A
> > Click!".
> >
> > Both bugs had about the same exploit potential, but i assume this one will
> > have far less impact and media response (which i consider a great thing
> > for various reasons). Thanks to everybody who researched, worked, chatted,
> > discussed and got drunk with me in the last months to make this change
> > happen - you know who you are.
> >
> > __Summary
> >
> > Using custom Microsoft Agent characters it is possible to cover any kind
> > of windows, including security or download dialogs. This is an expected
> > feature of the Microsoft Agent control. To quote the product homepage:
> > "Animations are drawn on top of any underlying application window,
> > characters are not bounded within their own, separate window"
> > (http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom
> > characters can be created with tools downloadable from that homepage.
> >
> > Because custom characters are fully scriptable, can have any kind of shape
> > and are downloaded automaticly, this can be used as a flexible tool to
> > cover and/or spoof any kind of window and lure the user to execute
> > arbitrary code by performing one or two clicks (depening on security zone
> > configuration and Windows version).
> >
> > __Proof-of-Concept
> >
> > http://www.mikx.de/fireclicking/
> >
> > The PoC is designed for Internet Explorer 6 on Windows XP SP2 in Windows
> > classic theme. By clicking on the button in the upper left corner you
> > start the download of a hta file. The download dialog gets covered by a
> > Microsoft Agent character which fakes a button (basicly a large white
> > image with a button border in the middle). Move the character by dragging
> > to see how it uses a "transparent spot" to make room for clicking on the
> > underlying dialog through the button space. Transparent areas in
> > characters are really "not there", meaning you can click through them.
> >
> > When you click that button you execute arbitraty code in the hta file, in
> > this case you create the folder "c:\booom!". The button in the upper left
> > corner is only need to get around the "drive by download" protection of
> > Windows. When this protection is not in place (e.g. on Windows 2000) this
> > PoC could be reduced to a single click interaction to execute arbitrary
> > code.
> >
> > __Status
> >
> > The bug got fixed as part of the Microsoft Security Bulletin MS05-032
> > (yeah, last summer).
> >
> > The patch adds an additional security dialog before loading a custom agent
> > character. Be aware that in trusted zones that dialog might not raise.
> >
> > 2004-10-04 Vendor informed
> > 2004-10-06 Vendor opened case, could not repro
> > 2004-10-06 Vendor got new testcase
> > 2004-10-12 Vendor confirmed bug
> > 2005-06-14 Vendor relased patch and advisory
> > 2006-01-22 Public disclosure
> >
> > __Affected Software
> >
> > Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003 with
> > different severity. See Microsoft Security Bulletin MS05-032 for details.
> >
> > __Contact
> >
> > Michael Krax <mikx () mikx de>
> > http://www.mikx.de/
> >
> > mikx
> >
> >
> > _______________________________________________
> > Get your free port scan here: http://www.seifried.org/freescan2/
> >
> > security mailing list
> > security () lists seifried org
> > https://lists.seifried.org/mailman/listinfo/security
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


--
Robert Q Kim, Wireless Internet Advisor
http://evdo-coverage.com/cell-repeater.html
http://hsdpa-coverage.com

2611 S. Pacific Coast Highway 101
Suite 102
Cardiff by the Sea, CA 92007
206 984 0880
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/