What A Click! [Internet Explorer] Jan 24 2006 07:06PM
mikx (mikx mikx de) (1 replies)
Re: [security] What A Click! [Internet Explorer] Jan 27 2006 12:31AM
yossarian (yossarian planet nl) (1 replies)
Re: [security] What A Click! [Internet Explorer] Jan 27 2006 07:22PM
Lance James (lancej securescience net) (1 replies)
yossarian wrote:

> There is an easy trick to avoid a .HTA related 'thingie' such as this
> one: tell your windows to open .HTA files in notepad. It broke the
> beautifull PoC I guess, had it in place as long as this particular
> machine (2 years or so), it never broke anything before.

Is there a method of sandboxing the .HTA files? I mean, everything web,
should stay web?

> Second hint for people protecting lusers: design a nice corporate
> colors standard theme and disable the standard theme. Exit this kind
> of attack (since there are more ways to cover windows with malicious
> lookalikes).
> regards,
> yossarian
> ----- Original Message ----- From: "mikx" <mikx (at) mikx (dot) de [email concealed]>
> To: <full-disclosure (at) lists.grok.org (dot) uk [email concealed]>
> Cc: <bugtraq (at) securityfocus (dot) com [email concealed]>
> Sent: Tuesday, January 24, 2006 8:06 PM
> Subject: [security] What A Click! [Internet Explorer]
>> It's now almost 18 months ago that i posted my first security
>> advisory "What A Drag! -revisited-", seems to be a good time to post
>> "What A Click!".
>> Both bugs had about the same exploit potential, but i assume this one
>> will have far less impact and media response (which i consider a
>> great thing for various reasons). Thanks to everybody who researched,
>> worked, chatted, discussed and got drunk with me in the last months
>> to make this change happen - you know who you are.
>> __Summary
>> Using custom Microsoft Agent characters it is possible to cover any
>> kind of windows, including security or download dialogs. This is an
>> expected feature of the Microsoft Agent control. To quote the product
>> homepage: "Animations are drawn on top of any underlying application
>> window, characters are not bounded within their own, separate window"
>> (http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom
>> characters can be created with tools downloadable from that homepage.
>> Because custom characters are fully scriptable, can have any kind of
>> shape and are downloaded automaticly, this can be used as a flexible
>> tool to cover and/or spoof any kind of window and lure the user to
>> execute arbitrary code by performing one or two clicks (depening on
>> security zone configuration and Windows version).
>> __Proof-of-Concept
>> http://www.mikx.de/fireclicking/
>> The PoC is designed for Internet Explorer 6 on Windows XP SP2 in
>> Windows classic theme. By clicking on the button in the upper left
>> corner you start the download of a hta file. The download dialog gets
>> covered by a Microsoft Agent character which fakes a button (basicly
>> a large white image with a button border in the middle). Move the
>> character by dragging to see how it uses a "transparent spot" to make
>> room for clicking on the underlying dialog through the button space.
>> Transparent areas in characters are really "not there", meaning you
>> can click through them.
>> When you click that button you execute arbitraty code in the hta
>> file, in this case you create the folder "c:\booom!". The button in
>> the upper left corner is only need to get around the "drive by
>> download" protection of Windows. When this protection is not in place
>> (e.g. on Windows 2000) this PoC could be reduced to a single click
>> interaction to execute arbitrary code.
>> __Status
>> The bug got fixed as part of the Microsoft Security Bulletin MS05-032
>> (yeah, last summer).
>> The patch adds an additional security dialog before loading a custom
>> agent character. Be aware that in trusted zones that dialog might not
>> raise.
>> 2004-10-04 Vendor informed
>> 2004-10-06 Vendor opened case, could not repro
>> 2004-10-06 Vendor got new testcase
>> 2004-10-12 Vendor confirmed bug
>> 2005-06-14 Vendor relased patch and advisory
>> 2006-01-22 Public disclosure
>> __Affected Software
>> Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003
>> with different severity. See Microsoft Security Bulletin MS05-032 for
>> details.
>> __Contact
>> Michael Krax <mikx (at) mikx (dot) de [email concealed]>
>> http://www.mikx.de/
>> mikx
>> _______________________________________________
>> Get your free port scan here: http://www.seifried.org/freescan2/
>> security mailing list
>> security (at) lists.seifried (dot) org [email concealed]
>> https://lists.seifried.org/mailman/listinfo/security

Best Regards,
Lance James
Secure Science Corporation
Author of 'Phishing Exposed'

[ reply ]
Re: [security] What A Click! [Internet Explorer] Jan 27 2006 09:51PM
yossarian (yossarian planet nl)


Privacy Statement
Copyright 2010, SecurityFocus