COMMAND
Internet Explorer
SYSTEMS AFFECTED
MS Win systems
PROBLEM
Charles D. O'Dale found following. He discovered a simple way in
which a user's hard drive may be unexpectedly formatted via the
World Wide Web using the Internet Explorer web browser -- no
ActiveX required. This attack involves uploading a .bat or .pif
file (for the Format command) and linking it via html to a
standard web page. Once this link is clicked and the user agrees
to 'Open' the file presented, a process will be started -- without
prompting from the user -- to format the user's hard drive. The
key is the Format command's "/autotest" flag, which was put into
place early on in MS-DOS's history to assist in batch processing,
and was probably dropped from the documentation some time back.
It can be tested for by entering:
Format a: /autotest
at the MS-DOS C:\ prompt. The automated format via web page can
be accomplished as follows (with the example shown demonstrating
how to create a link on a web page which will automatically format
Drive A):
1) Either:
Create a .pif file ("Format.pif") with the Command Line set to:
C:\WINDOWS\COMMAND\FORMAT.COM a: /autotest
And Working Line set to:
C:\WINDOWS\COMMAND
or:
Create a .bat file ("Format.bat") with a single command:
format a: /autotest
2) Link to the file on a web page as follows:
<a href="Format.pif">Click Me</a>
or:
<a href="Format.bat">Click Me</a>
According to the method chosen for implementation in step 1.
These links may be placed beneath graphics or text, as would be
found on a regular web page.
3) Upload the html document and .pif or .bat file to the
targetted web server directory and wait for an unwary user to
click the link and 'Open'.
These steps don't create a Trojan Horse so much as an out-right
"Cyber Mine" which will be activated on a user's machine the
instant they click the link and accept the file into their
system. As the download of the < 1k file is almost instantaneous,
damage will be made to the user's data in a matter of seconds.
The nasty kicker to this particular operation is the "/autotest"
flag, which automatically activates the command preceeding it (in
this case, the malicious Format) without requiring an
acknowledgement from the user. Although the user will be
prompted to either 'Save' or 'Open' the file before any damage
can be done, it is easy to see how a trusted web site,
compromised by a malicious cracker and mined in the manner
described above, could deliver this damaging bomb.
Reading a trusted web page, the unwary user would click the mined
link and accept the file into their system. Given a suitable
name, such as 'Business_Plan.bat' or 'Secure.pif', it's
reasonable to expect an average user to choose 'Open' when
reading this file, as they would normally be provided with an
option to save or discard the document at a later time and so
have it held -- relatively harmlessly -- in memory. However,
with the mined link, an automated format would be started instead.
SOLUTION
Nothing yet. Changing how to handle *.bat and *.pif would be a
good solution... However, contrary to what seems to be implied,
ppl get a 'do you want to run...' prompt with the file named.