COMMAND

    COM, Internet Exlorer

SYSTEMS AFFECTED

    WinNT, Win2000

PROBLEM

    Mnemonix found following.  COM (the Component Object Model) allows
    client  applications  to  communicate  with  server  applications,
    regardless of  the server's  location -  whether the  server is in
    the client's process address space or on a remote computer  across
    the other side of  the planet.  A  good example of a  COM's use is
    ActiveX.  COM provides the  basis of the underlying technology  of
    ActiveX.  When the author of a web page wants to embed an  ActiveX
    control in their page they reference it by its CLASSID and  create
    an instance of an object for it. The then use the new object's  ID
    to use its functionality.  ActiveX controls, and indeed all  other
    COM based apps are registered in the Registry under HKCC\****.

    Now, instead  of creating  an object  out of  a registered ActiveX
    control, it is possible to do the following:

        <SCRIPT LANGUAGE=VBScript>
        Set WWObj = CreateObject("Word.Document")
        WWObj.SaveAs("c:\Mnemonix.doc")
        </SCRIPT>

    This  HTML  code  creates  a  WWObj  object  using  the registered
    Word.Document and conseqently Internet  Explorer requests of   the
    (COM) Service Control Manager (RPCSS.EXE on NT4 and svchost.exe on
    Windows  2000)   to  start   whatever  app   is  registered   with
    Word.Document which it does.  Before WWObj.SaveAs() is run however
    Internet  Explorer  pops  up  a  message  about  untrusted ActiveX
    controls and  how you  should run  them.   Fine -  well not really
    because winword.exe is already running - open up the Task  Manager
    to see it.

    From here you have two choices.   Clicking on "Yes" runs the  rest
    of the  code and  a file  called "mnemonix.doc"  is created on the
    root  of  the  C:  drive.  A definite please-don't-do-that-again -
    (Rhetoric:  Would it take too  much to write to the file  and save
    it as  normal.dot -  no macro  warnings? hmmm.)  On the other hand
    clicking on "No" terminates  the app. What   if we don't create  a
    Word.Document object though?

    On Windows  2000 (Beta  3), and  boy what  a mess  with COM there,
    there's a telnet  server - but  it's not started  by default.   No
    problem - send the user and HTML mail with

        <SCRIPT LANGUAGE=VBScript>
        CreateObject("TlntSvr.EnumTelnetClientsSvr")
        </SCRIPT>

    In Outlook Express 5 even just highlighting the subject line  will
    start the telnet service - even if a plain old user is logged  on.
    Sure, the security message will popup but clicking on "No" doesn't
    terminate the service. (Nice back  door?  Incidently as far  as we
    can tell, though we did not researched it enough yet - the  telnet
    service uses the  default DCOM security  settings - anyone  with a
    local account can remotely start the service).

    So what's the vulnerability or (ies) here?  Well we can create  an
    instance of an app on someone's machine (mspaint.exe, winword.exe,
    wordpad.exe, blah, blah  - just look  through the HKCR  portion of
    the registry and you'll get the picture) or in some cases as  many
    instances as we  want.  Excel  for example -  using a web  page or
    e-mail that  uses frames  it's possible  to create  an instance of
    Excel for  each frame  - only  32 megs  of RAM?  - sheesh - get an
    upgrade.

    Oh and we can start services too.

SOLUTION

    Nothing yet.