Saturday, May 13, 2000 MICROSOFT SECURITY FLAW? Silent delivery and installation of an executable on a target computer. No client input other than opening an email or newsgroup post. 1. Using the following this can be accomplished with the default installation of Windows 95 and 98 and Internet Explorer 5 browsers and accompanying mail/news clients 2. The key component from Georgi Guninski http://www.nat.bg/~joro/wordpad-desc.html 3. Secondary component comprises a pre-installed ActiveX control directly from Microsoft. This control and a variety of similar demonstrations have been shown to Microsoft over 18 months ago What to do: A (a) Manufacture a *.chm file. The following kit from Microsoft is free and very easy to use Microsoft=AE HTML Help: http://msdn.microsoft.com/library/tools/htmlhelp/wkshp/download.htm (b) Construct a new *.chm file inputting the ActiveX link control as follows: (c) The control itself is quite sensitive to manipulation, the above represents the bare minimum to run. (d) Input the path of the executable you intend to run as in PARAM name=3D"Item1" above. In order to disguise the running of the executable it= is suggested to not to give it a silly name, rather something that is familiar to the operating system e.g. microsoftagent.exe etc. (e) While constructing the *.chm, it is possible to both minimise and offse= t the location of the *.chm file once opened. For example while under construction you can set the size of the help window and its location - using the auto resizer in Microsoft=AE HTML Help, drag the sizer to the smallest possible size. Although setting the size requires clicking OK inside the autosizer, dragging to minimal size and hitting ENTER will register the setting. Secondly offset the location of the file by inputting say 2000 , 2000, this should suffice in it opening off-screen on any size monitor. (f) Once you have compiled the *.chm test its functionality by placing the executable in your temp file and open the *.chm - it should run the executable. Now how do we place this on the target computer? B. (a) Simply by opening an email message or newsgroup post. The client does nothing. They receive an email open it or read a newsgroup post and that i= s all. Both the *.exe and *.chm are transferred silently and immediately to the temp folder once the email or newsgroup post is open. How so? (b) It is possible to embed almost anything in both html email and html news. Current versions of Outlook Express 5 inspect what is being embedded is in fact the correct file e.g. will not embed becau= se a *.doc is obviously not an image file. Internet Explorer 4 and accompanyin= g Outlook Express 4 does allow for this, similarly Netscape Messenger also allows for this. Nevertheless, through proprietary JavaScript and VBscript, it is possible to deliver an intact file to the target computer's temp folder, however with a file name given by the computer e.g. 000321.doc. Thi= s does not serve the purpose of running the *.chm with the file name explicit as above. (c) The Microsoft Active Movie Control (AMC) pre-registered and pre-installed on all Internet Explorer 5 computers does. The very simple scripting to do this is as follows: (d) This control too is very sensitive and the complete path must be inserted in order for it to embed in the html email message or html news post. (e) Finally, in the body of the html email or html news post the following simple JavaScript is required to set off everything: Sufficient delay must be allowed for the news post or email message and transference of both the executable and *.chm files to be delivered to the target computers temp file before execution is called. What will happen? When the email or news post is opened, the embedded *.chm and *.exe will automatically and silently be transferred to the client temp folder, intact and with the given names. Default locations on all machines calls for the temp folder to be at C:\windows\temp. The AMC control, will deposit the two files to wherever the temp folder is located, if you have changed the location, these two files will still be delivered there, however because th= e *.chm file is constructed to seek out the *.exe in the default location, it will fail. Likewise so will the script in the html email message or news post. Hence, this will only work on default OS installs. Once the news post or email has been opened or even previewed via Outlook o= r Outlook Express preview pane, the two files are delivered to the temp folder, sufficient time elapses when the script in the html message calls the *.chm which opens silently and minimised in the task bar (because we have instructed it to open at the minimum size and off-set 2000, 2000), onc= e opened it, the ActiveX link control in it, runs the executable. Everything is instantaneous, no need for a reboot and no need for user interaction other than opening the email (or simply previewing it) or the newsgroup post. Needless to say once the executable is running, the damage is done. And no Windows Scripting Host (WSH) involved. The only solution is to relocate the temp folder and/or set scripting and ActiveX controls to the highest possible settings. The default settings do not ask for permission. Below represents a working example. The executable incorporated is a harmless joke program. In order to run it, save the entire example as eithe= r *.nws or *.eml and click on it: note: 1/ on high speed machines and i-connections with IE5, clicking the links below will allow for viewing of these news and mail files in the browser (technically known as mhtml), with the same effect. Slower machines and i-connections might want to save to disk and open from there. Additionally saving to disk and opening will allow for viewing in the mail or news client. note: 2/ it is not necessary to run this through html mail or news, applyin= g all the above directly on the web results in the same. Right-click and save to desktop Mail: http://members.xoom.com/malware/help.eml 89KB News: http://members.xoom.com/malware/help.nws 89KB