lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200208150037.g7F0bc8P023545@mail45.megamailservers.com>
From: http-equiv at malware.com (http-equiv@...ite.com)
Subject: SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0

Wednesday, August 14, 2002

The following represents a trivial yet elaborate method of injecting 
arbitrary html into the "My Computer" zone on win98 using the 
Internet Explorer series of browsers.

Internet Explorer enjoys a unique component called the "Web Folder" 
component. This is a selectable component install with the original 
installation of the browser or can be added later on. This unique 
component allows for an assortment of web publishing and authoring 
conveniences, often touted as useful "feature".

But what it actually does, is create a nicely named file for us in a 
known location.

Where:

The Internet Explorer series 5 through 6 enjoy a related behavior to 
the so-called "Web Folder" component which allows us to point 
directly to one of these web folders and traverse it directly. 
However, should the folder not exist, an error message is generated 
and conveniently placed for us in the temp folder:

So:

This particular error message is nothing more than a server side 404 
error message which can be modified to suit our needs as we require.

Commence:

We first construct our trivial behavior to generate the error message 
like so:

<body onload=malware() style="behavior: url(#default#httpFolder);">
 <script>
function malware(){
document.body.navigate("http://www.microsoft.com");alert
("malware");open("file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt")
}
 </script>>

What this will do is "probe" the target site for a webfolder, and if 
not found, create our error file in the temp folder as follows:

[screen shot: http://www.malware.com/behave.png 4KB]

Because the error fie is nothing more than a text file, we need to 
include our own html and allow Internet Explorer to 'read' it. 
Previously numerous possibilities to allow for this existed, 
including <object data="" type="text/html>, databinding with 
dataformatas="HTML", dotting file extensions etc.  These now all 
appear to be patched.

Good:

But because we can craft our own error message on the server and 
point our trivial behavior to it, we simply construct our error 
message like so:

MIME-Version: 1.0
Content-Type: text/html;
 charset="Windows-1252"
Content-Transfer-Encoding: 7bit

<br><br>
<body bgcolor=black>
<center><font size="24" color="red" 
face="arial">malware</font></center>

What that will do is generate our simple text file in our temp 
folder, and by merely mhtml'izing our url like so: open
("mhtml:file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt"), Internet 
Explorer will open our text file in full html splendor. 

Inclusive of whatever other "objects" we so desire. 

[screen shot: http://www.malware.com/your.png 8KB]

Working Example:

note: windows98 with temp folder default.
note: requires the 'web component'
note: simple text file only for demo purposes

http://www.malware.com/behave.html


[screen shot: http://www.malware.com/self.png 12KB]


Notes: 

1. None.



End Call


-- 
http://www.malware.com






*yawn*








Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ