yossarian wrote: > There is an easy trick to avoid a .HTA related 'thingie' such as this > one: tell your windows to open .HTA files in notepad. It broke the > beautifull PoC I guess, had it in place as long as this particular > machine (2 years or so), it never broke anything before. Is there a method of sandboxing the .HTA files? I mean, everything web, should stay web? > > Second hint for people protecting lusers: design a nice corporate > colors standard theme and disable the standard theme. Exit this kind > of attack (since there are more ways to cover windows with malicious > lookalikes). > > regards, > > yossarian > > ----- Original Message ----- From: "mikx" <mikx@xxxxxxx> > To: <full-disclosure@xxxxxxxxxxxxxxxxx> > Cc: <bugtraq@xxxxxxxxxxxxxxxxx> > Sent: Tuesday, January 24, 2006 8:06 PM > Subject: [security] What A Click! [Internet Explorer] > > >> It's now almost 18 months ago that i posted my first security >> advisory "What A Drag! -revisited-", seems to be a good time to post >> "What A Click!". >> >> Both bugs had about the same exploit potential, but i assume this one >> will have far less impact and media response (which i consider a >> great thing for various reasons). Thanks to everybody who researched, >> worked, chatted, discussed and got drunk with me in the last months >> to make this change happen - you know who you are. >> >> __Summary >> >> Using custom Microsoft Agent characters it is possible to cover any >> kind of windows, including security or download dialogs. This is an >> expected feature of the Microsoft Agent control. To quote the product >> homepage: "Animations are drawn on top of any underlying application >> window, characters are not bounded within their own, separate window" >> (http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom >> characters can be created with tools downloadable from that homepage. >> >> Because custom characters are fully scriptable, can have any kind of >> shape and are downloaded automaticly, this can be used as a flexible >> tool to cover and/or spoof any kind of window and lure the user to >> execute arbitrary code by performing one or two clicks (depening on >> security zone configuration and Windows version). >> >> __Proof-of-Concept >> >> http://www.mikx.de/fireclicking/ >> >> The PoC is designed for Internet Explorer 6 on Windows XP SP2 in >> Windows classic theme. By clicking on the button in the upper left >> corner you start the download of a hta file. The download dialog gets >> covered by a Microsoft Agent character which fakes a button (basicly >> a large white image with a button border in the middle). Move the >> character by dragging to see how it uses a "transparent spot" to make >> room for clicking on the underlying dialog through the button space. >> Transparent areas in characters are really "not there", meaning you >> can click through them. >> >> When you click that button you execute arbitraty code in the hta >> file, in this case you create the folder "c:\booom!". The button in >> the upper left corner is only need to get around the "drive by >> download" protection of Windows. When this protection is not in place >> (e.g. on Windows 2000) this PoC could be reduced to a single click >> interaction to execute arbitrary code. >> >> __Status >> >> The bug got fixed as part of the Microsoft Security Bulletin MS05-032 >> (yeah, last summer). >> >> The patch adds an additional security dialog before loading a custom >> agent character. Be aware that in trusted zones that dialog might not >> raise. >> >> 2004-10-04 Vendor informed >> 2004-10-06 Vendor opened case, could not repro >> 2004-10-06 Vendor got new testcase >> 2004-10-12 Vendor confirmed bug >> 2005-06-14 Vendor relased patch and advisory >> 2006-01-22 Public disclosure >> >> __Affected Software >> >> Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003 >> with different severity. See Microsoft Security Bulletin MS05-032 for >> details. >> >> __Contact >> >> Michael Krax <mikx@xxxxxxx> >> http://www.mikx.de/ >> >> mikx >> >> >> _______________________________________________ >> Get your free port scan here: http://www.seifried.org/freescan2/ >> >> security mailing list >> security@xxxxxxxxxxxxxxxxxx >> https://lists.seifried.org/mailman/listinfo/security > > > -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/
