Results 1 to 8 of 8

Thread: Vulnerability: IE Execution Of Arbitrary Commands

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability: IE Execution Of Arbitrary Commands

    IE Execution Of Arbitrary Commands

    Topic: Executing arbitrary commands without Active Scripting or ActiveX.

    Affected applications:

    Any application that hosts the WebBrowser control (5.5+) is affected since this exploit does not require Active Scripting or ActiveX. Some of these applications are:
    * Microsoft Internet Explorer
    * Microsoft Outlook
    * Microsoft Outlook Express





    Introduction:
    =============

    In an advisory from Jan 10 2002 "The Pull" demonstrated how it is still possible to use an older bug (initially discovered by Dildog) in the HTML element to run arbitrary commands.

    Although "The Pull"'s findings were interesting, his analysis of the re-found bug was erroneous, the problem does not lie within the Popup object, the problem is with dynamically inserted HTML fragments at any point in the document.

    All "createPopup" does is create a (featureless) window containing an empty HTML document, this does not pose a threat, but later on, that document has HTML injected to it (using innerHTML), which is the actual problem.

    For example, the following code will work just the same:



    oSpan.innerHTML='';


    (Note: innerHTML is not the only property used to dynamically insert HTML to any element, it is also possible to use outerHTML, insertAdjacentHTML and more to gain the same results.)

    Discussion:
    ===========

    So now that we identified the origin of the problem we can search for ways to dynamically insert HTML without using any Active Scripting at all. It will then become possible to use this bug in more "protected" environments, such as Microsoft Outlook or Internet Explorer with Active Scripting and ActiveX disabled.

    One of the exciting features that came along in IE4 was Data Binding; it enables developers to completely separate any application data from the presentation layer. The data sources (DSO) for Data Binding can be almost anything, CSV files (with TDC), HTML, XML and many more. Data Binding binds HTML elements (data consumers) such as div or span to the DSO without need for a single line of script code.

    We found out that when the "dataFormatAs" attribute is set to "HTML" on the consumer, Data Binding internally uses innerHTML in order to insert the data into the element (otherwise innerText is used).

    So all we need to do now is supply a DSO that contains the offending element, the rest will be done for us by the Data Binding engine, no scripting needed.

    Exploit:
    ========

    In the following example we're using an XML data-island as our DSO and a span element as the data consumer. Using XML is especially comfortable because it can be embedded within the document, without need for external requests that may be stopped by the host application.






    ]]>




    Solution:
    =========

    There is no configuration-tweaking workaround for this bug, it will work as long as the browser parses HTML. The only possible solution must come in the form of a patch from Microsoft.

    Tested on:
    ==========

    IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled. IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled. IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled. IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.

    Demonstration:
    ==============

    We put together two proof-of-concept demonstrations:

    * Simple: attempts to run "c:/winnt/system32/calc.exe".
    * Advanced: lets the user pick what they want to run.

    They can both be found at http://security.greymagic.com/adv/gm001-ie/.

    Feedback:
    =========

    Please mail any questions or comments to security@greymagic.com.

    Source:
    http://www.xatrix.org/modules.php?op...thread&order=1

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    276

    Exclamation

    Bloody scary thing this..
    However, the greymagic link (at the bottom of s0nic´s post) dun open my calculator since I run 98, but here´s one that does.

    TEST

    I haven´t had the chance to test the url with 2k. Can anyone check it?
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile

  3. #3
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    I wish more ppl could post like this....Very informative S0nic......
    Greenies for you.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  4. #4
    Senior Member BrainStop's Avatar
    Join Date
    Jan 2002
    Posts
    295
    Originally posted here by Pooh-Bear

    I haven´t had the chance to test the url with 2k. Can anyone check it?
    Sorry for the slow reply .... I just tested it on Wink2K, SP2 with IE 5.5 SP1 ... it works ...

    *shiver*

    Scary indeed ...

    Cheers,

    BrainStop
    "To estimate the time it takes to do a task, estimate the time you think it should take, multiply by two, and change the unit of measure to the next highest unit. Thus we allocate two days for a one-hour task." -- Westheimer's Rule

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    276
    **censored due to stupidity and alcohol**

    I´m just gonna log out and go to bed or something.

    al you kids out there, the devil is in the bottle
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile

  6. #6
    Junior Member
    Join Date
    Mar 2002
    Posts
    7
    Having despatched that particular devil 3 years ago at age 44, my only regret is that I didn't do it at age 24. Life still sux, but at least now I'm awake, alert, and oriented enough to deal with it.

  7. #7
    Senior Member
    Join Date
    Aug 2001
    Location
    Pittsburgh
    Posts
    153
    Hmm...well I just tested it on win95 with IE 5.5 and yes I tried both of the links and it does not work! It looks like win95 is not affected by this bug but if anyone finds any info on this vulnerability and win95 please let me know.

  8. #8
    Senior Member
    Join Date
    Feb 2002
    Posts
    253

    Unhappy

    I ran the s0nIc test on:
    IE5.5 sp2;Win98se, Active Scpriting blocked &
    IE6.0, Win98; Active Scripting blocked
    In both cases, the code ran but NAV 7.0(2001) stopped both exploits.
    On the other hand, the Pooh-Bear test was run and the calculator appeared both times.

    BTW, the Symantec calls the intruder in question XMLid.Exploit See:
    http://securityresponse.symantec.com...d.exploit.html

    Good reason to keep virus definitions up to date.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •