From: tlarholm at pivx.com (tlarholm@...x.com)
Subject: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV

Microsoft was not wrong to have HTA, they were wrong to have local
security zones in IE. If you take away the My Computer zone in IE you
are left with a perfect example of proper sandboxing - the Internet Zone
with a small amount of privileges running code automatically and HTML
Applictions with full privileges for running unsafe content, the latter
requiring complete user consent.

The proper way to disable HTA related exploits in IE is to remove the
application/hta mime-type, which should never have been put in place to
begin with. This also leaves in place the functionality of HTA without
the IE attack vector.

Opening an HTA from a local file system is the equivelant to opening an
EXE file from a local file system, and by removing its mime-type HTA
files are treated no differently than EXE files in IE. This is also one
of the things we do in Qwik-Fix ;)


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
949-231-8496

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 

-----Original Message-----
From: Erik van Straten [mailto:emvs.fd.3FB4D11C@....tn.tudelft.nl] 
Sent: Friday, January 02, 2004 7:03 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Self-Executing HTML: Internet Explorer
5.5 and 6.0 Part IV


On Thu, 1 Jan 2004 22:41:35 -0000 "http-equiv@...ite.com" wrote: 
[snip]
> Fully self-contained harmless *.exe:
> 
> http://www.malware.com/exe-cute-html.zip
[snip]

This doesn't look like self-executing HTML - anyway.

[Disabling Mshta.exe]

Microsoft is _WRONG_ to have HTA interpreted by default, and not even
provide an option to disable it. All HTA's I've seen (quite some) were
malware.

To prevent this particular exploit from running, you may want to delete
or rename mshta.exe --At Your Own Risk--. I've done this on all boxes I
manage on 20030909 and haven't ran into problems. I've not restored this
after applying MS03-040, since lusers will click OK because they don't
know what an HTA is. Note: MS03-040 won't block this exploit, and other
browsers may invoke mshta.exe.

If mshta.exe is also in the DLLCache subdir, you may have to boot safe
mode with command prompt, and rename/delete it in both DLLCache and
System32.

Warning: do not boot Safe Mode With Networking, because then XP-ICF
(Internet Connection Firewall) does not run (thanks MS).

[Other Attack Vectors]

Unfortunately more attack vectors are possible. Please refrain from
publishing them, the point was made (you'll be helping "the patch"
morons et al, which backfires if they joe-job you or your site).

As a test I've just killbitted Shell.Application:

---------- cut here ----------
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX
Compatibility\{13709620-C279-11CE-A49E-444553540000}]
"Compatibility Flags"=dword:00000400 "Comments"="Shell.Application
kill-bit/killbit 20040102"
"Reason#1"="http://seclists.org/lists/fulldisclosure/2004/Jan/0002.html"
"Reason#2"="Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV"
-------- end cut here --------

Watch out for line wraps; there should be 7 lines. The last 3 lines are
optional but help me locate why/what/when.

It prevents the exploit, however I don't know what this breaks; if
anyone knows, please respond to the list (no metoo's and "use another
browser" BS, please). Also: start a new thread+subject if you wish to
comment on the ICF issue, portscans, or blah.

Happy 04.
Erik

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists