WSHOM.OCX Exploit

Discussion in 'other security issues & news' started by Nancy_McAleavey, Mar 24, 2002.

Thread Status:
Not open for further replies.
  1. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Yesterday evening, a new script exploit was brought to my attention. :-/

    We grabbed a copy and analysed it overnight in our lab. This exploit disabled mouse, monitor and keyboard, edited the registry to remain in the system and then filled the hard disk swap space and memory. After this it formatted the C: drive. If you turned off your machine, it would write to WININIT.INI to continue on the next boot before Windows could start in order to finish its complete destruction of your system. A number of "web trojan downloader" exploits also make use of these functions to cause Internet Explorer to automatically download back door trojans without placing a screen to let you know that this was occurring. "dotNET" extensions when enabled in the Internet Zone are DANGEROUS. The WSHOM.OCX file is the core of this risk and is not easily removed owing to Microsoft's "system restore" which will put it back. This is a completely separate issue from "DataSource Object" exploits for which we created DSOStop although using our FREE DSOStop software and making certain that you've checked the "Internet Zone" protection will also help. That's why we included the "Internet Zone" in its coverage.
    Our IEClean completes the protection package for this exploit if you don't wish to edit the
    registry yourself.

    Come to our website:

    http://www.nsclean.com

    and see for yourself. The test is PERFECTLY SAFE, it involves an attempt to open 3
    instances of CALC (calculator) on your system. It does not send ANY information from your
    system back to us either.  
     
  2. SPY

    SPY Guest

    I tried the test and nothing happened, is this OS specific? I am using XP Pro, I did have active X turned off, but I turned it on, and restarted my browser, cause I wanted to see the effects, I just saw the pop ups, telling me what would happen and presses ok, but after 7 times, I gave up, so that is why I am asking, is this OS specific.
     
  3. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    These exploits try to take advantage of IE's weaknesses : Javascript, Scripting and ActiveX functions all originally intended to be permitted by Microsoft.
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    i just tried the test too; got the 2 pop-up warnings of what could happen...but i didn't get the 3 CACL.EXE things.

    i gave it several tries in IE and still didn't get the 3 CACL.EXE pop-ups, so i tried it again in Netscape but only got the 2 pop-up boxes telling me what was/could about to happen...but no CACL.EXE appeared.

    i do have javascript, active x, and scripting enabled (some set to prompt)...i know i know...but i NEED them enabled.....yes i do. ~lol~

    was a li'l curious about this part though (sorry, not sure how to use the quote feature here yet)  but where it said: "The WSHOM.OCX file is the core of this risk and is not easily removed owing to Microsoft's "system restore" which will put it back."

    ummm...i did a file search for that WSHOM.OCX and i don't have it on my Windows 98SE system....?  (i am guessing this is good huh?) ~nods~ :)
     
  5. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    WSH - Windows Scripting Host
    People with WormGuard (www.diamondcs.com.au) are protected already. This is one of the reasons why we did not get those boxes in the test, besides other security settings, patches, whatever.....
    With this it is not necessary to cripple windows/IE even more.
    Thanks for the test and fine explanation.

    The description in the GM test is not quite clear to me what is supposed to happen or not happen from the descriptions there.
    It would certainly help a few lines in the pages to that description explaining that part. Thanks in advance!
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    For those of you who didn't catch this, here's a copy-and-paste of Kevins' GRC post relating to this:

    "Rather than reply to an individual message, I'll put this up "blind" in
    hopes that this will help to explain the various outcomes for all. My NEXT
    message will describe how to interpret what you found in visiting our
    site, but I felt it would also be useful to explain WHY we did all this in
    the first place.

    Sorry for the confusion and the wait, folks ... I really needed to get
    some sleep after trying to figure out what we had here. I had *hoped* that
    there wouldn't be many people for whom this exploit functioned, but what
    was so disturbing about it for me is that it shouldn't work at ALL for
    anybody. Before I explain what to make of the results, let me fill
    everyone in on what this was about first and why we became sufficiently
    concerned to put up this test in the first place.

    On Saturday night, a well meaning soul posted a question on another
    security forum wondering why only one antivirus program detected the
    "Trojan.BAT.FormatCQ" javascript exploit and then posted a link to a live
    site containing the nasty on it. It's always been my OWN understanding
    that "WSHShell" functions could only be run on the local machine and that
    it's supposedly not possible for it to run across the "Internet Zone" in
    Internet Explorer. What became of this though was other people had
    discovered that the script INDEED ran, and could run WITHOUT AN ACTIVEX
    warning all by its lonesome.

    Further discussion turned to "I get a warning with IE5 but with IE6 it
    just runs." The exploit in question deletes registry keys, stuffs memory,
    and then quietly begins formatting the C: drive with the /Q switch. In
    addition, the exploit makes other changes to windows so that it could not
    be rebooted and by disabling the mouse, keyboard, monitor and PCMCIA card
    (though PCMCIA was spelled incorrectly). FORTUNATELY the script in
    question had some flaws in it that prevented it from doing all it was
    advertised to do although it DID start formatting the C: drive. The VAST
    majority of people said that they only received a blank page that did
    nothing while others said it popped right up and started going. THAT was
    what raised my own concerns about it since we had just dealt with the
    "data source object" issue just a day or two ago and this was SOMETHING
    ELSE.

    After that discussion, I received email from some other people who had
    fallen victim to that exploit in other places and they informed me that
    they were using IE6, had all their patches, and it still trashed their
    system without any warning whatsoever. Others indicated that they had
    received a "This page contains ActiveX content that might be dangerous to
    other elements on this page" (whatever THAT means) and did what they
    usually do ... they let it RUN after getting a warning box. It was that
    some never got the warning box at all that was a major concern in my eyes.
    So for a number of hours, we played with it among our lab rats in
    "BOCleanville" and one XP machine that had its recent Microsoft updates
    (most of our machines stay unpatched for trojan testing in worst-case
    scnarios and run across all versions of browsers and OS versions with and
    without patches, a pretty good "sample" of what normal people have and do)
    went and ran the emasculated nasty we edited from the original (we changed
    FORMAT C: /Q to CALC) from a server in the Internet zone and up came CALC.
    We finally reproduced it on *ONE* machine here our of our entire
    laboratory.

    So what we determined HERE was that it WAS possible for the script to run
    "across the Internet" (WSHShell should NOT) and that on MOST machines, an
    "ActiveX warning box" DID appear. Only on one machine did it NOT. When
    "Yes" was selected on the ActiveX warning box, the CALCs appeared. If you
    hit cancel, it didn't. Assuming you were given the choice to refuse it of
    course. This generated my own concern. But there were more and I'll get to
    those later.

    What I didn't understand is that WSHShell isn't supposed to do ANYTHING
    if it's in the Internet Zone, and yet there it was doing it. Given what we
    saw and what was reported by others, we put together a SAFE version of the
    exploit to allow people to test their own machine based on what we
    observed with the actual nasty. What we DO know is that turning off
    ActiveX and Javascripting in the Internet Zone does stop this puppy.
    Unfortunately since we were looking at this exploit directly and we use
    IEClean here, we did NOT take the time to determine WHICH "Security Zone
    settings" were involved - in our testing, we let IEClean handle a number
    of ActiveX and Javascript things the way IEClean handles it. Others are
    welcome to play with their own Internet Explorer settings in hopes of
    determining which security zone settings will affect this vulnerability.

    Some information on the capabilities that the WSHShell exposes can be
    read here:

      http://www.winguides.com/scripting/reference.php?category=3

    Now if you really want to get nervous, try this ... go back to our site
    at:

     http://www.nsclean.com/exploit.htm

    And SAVE the file to your desktop. Go offline and then open it locally.
    It will DEFINITELY run in Internet Explorer and may or may not produce
    that "ActiveX" warning. Now be mindful of course that this "WSHShell"
    stuff SHOULD be able to work on your local machine. However, let's bear in
    mind that a website could drop this in your CACHES and then invoke it
    locally using the DSO exploit or one of many others. Even with your
    internet protections, now that a WEB PAGE is on your local machine, this
    second step of a local copy (there'll be one in your caches just by
    visiting our site on the internet) will now allow the exploit to work on
    just about any copy of Internet Explorer. While this scenario is
    far-fetched (is it really?) this will complete the picture of why I found
    this whole thing a bit worrisome.
    --
    NSClean Privacy Software division
    Privacy Software Corporation
    http://www.nsclean.com
    kevinmca@nsclean.com
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Kevins' explanation of the results:

    "INTERPRETING THE WSHOM.OCX TEST

    The OBJECTIVE of the test is to see whether or not three copies of the
    Windows Calculator (CALC.EXE) appear on your screen. The appearance of the
    instances of the CALC program means that your machine is exposed to this
    exploit and you are vulnerable. The WSHShell exploit can ONLY work under
    Internet Explorer. Netscape, Mozilla, Opera and other browsers that do NOT
    use Microsoft's scripting are safe and this vulnerability does not exist
    under Netscape, newer versions of Opera or Mozilla.

    If you were offered a warning that says in effect "An ActiveX control on
    this page might be unsafe to interact with other parts of this page. Do
    you want to allow this interaction?" (a rather vague warning that
    certainly doesn't indicate that the script may destroy your machine) that
    warning indicates that you have ActiveX enabled (in prompt mode) and if
    you click on YES, then the 3 calculator instances will appear. If you clik
    on NO, then the script won't run and CALC won't appear. If the "ActiveX
    warning" doesn't appear, then ActiveX is turned off on your machine and
    you are safe.

    If this box appears but CALC doesn't, then either you've removed the CALC
    application from Windows or you have removed Windows Scripting Host.
    However, the WSHOM.OCX file is *NOT* removed if you uninstall Windows
    Scripting Host. It is WSHOM.OCX that is responsible for this
    "functionality."

    Prior to the attempt to run the 3 copies of CALC, there is a "javascript"
    popup window that first explains that we're going to try to run 3 copies
    of CALC and indicates that no harm will occur if you allow it to run.
    That'll be the first popup you see before CALC runs. After CALC either
    runs or doesn't run, a second popup appears that starts with "In this
    test, we only opened 3 copies of CALCULATOR" ... if you don't see the CALC
    program three times on your screen, then the WSHShell exploit is disabled
    on your machine and you're safe.

    Because we didn't want to have your machine interacting with our server,
    we did not come up with a means of determining whether or not the exploit
    was successfully run on your machine. The second "popup" screen's purpose
    is to let you know that the test had been done and indicates that if you
    DID see the three copies of CALC running, then there's a problem with
    scripting on your machine.

    Thus, if you DIDN'T see the three copies of CALC, then you're safe from
    this exploit. The two popups are done in plain "javascript" and while we
    consider "javascript" dangerous too, it's not as dangerous as ActiveX. If
    you didn't get the popups EITHER, then you should have seen a message on
    the page itself that says:
    --------------------------------------------------------------------------------
    You are immune to the "WSHOM.OCX" exploit ... congratulations on SAFE
    computing!
    You have both ActiveX and "Scripting" disabled on your computer.
    --------------------------------------------------------------------------------

    If you got the above message, it means that you have both ActiveX and
    javascripting turned off in your "internet zone" and are extremely safe.
    Safe computing suggests that you should always have both javascript and
    ActiveX turned off entirely in the "Internet zone" and any sites that you
    visit that require either of these should be moved to the TRUSTED SITES
    zone. This method offers the maximum possible security since you never
    know when you might get redirected to a rogue site by one you visit. (X-10
    pop-unders anyone?)

    Another thing we've been getting a few reports of is the Internet
    Explorer browser literally GAGGING on the script. My best guess is that
    this is because the scripting host or WSHOM.OCX is missing or being
    blocked by something else. But for most people, it either is ignored, or
    it works. This is something else we're trying to see by doing this test so
    you can have an idea of what YOUR machine will do should it encounter this
    exploit from a malevolent site.

    Finally - this exploit ONLY applies to Internet Explorer and browsers
    derived from Microsoft's browser objects. Netscape, Mozilla and recent
    versions of Opera are SAFE all by themselves because they CANNOT run
    ActiveX unless you have installed the "ActiveX plug-in for Netscape."

    Hope this helps ..."
     
  9. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Hi all !
            Well I'm running Win98SE and SPF 4.2.
    I've tried the "WSHOM.OCX Exploit Test Page", and I get the same thing...no 3 calc.exe's, and no prompt asking me to allow a Java script or Active x app.
    I do have WSHOM.OCX on my system. Is the FIREWALL interfering with this test ?
    Sorry, I don't get it !!
                Bill o_O
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Do you have 'Calc' installed?

    Do you run any program such as NoScript (from Symantec)?

    Is WSH installed on your computer? Pete
     
  11. Blacksheep

    Blacksheep Spyware Fighter

    Joined:
    Feb 9, 2002
    Posts:
    109
    Location:
    Missouri, USA
    Wscript.exe is Windows scripting host for Win98SE
     
  12. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!

     Yes, I have CAL installed, I don't use any Symantec products, and I have WSH installed on my PC !! :-/
         billmac
     
  13. SPY

    SPY Guest

    Ok I copied the script to my desktop, saved it in notepad, as  test.html, Then I activated it, NAV2002, stop it dead in it's tracks, but I went ahead and told NAV2002, to allow it, one time, and the cal.exe popped up once.

    So my firewall, is probably preventing it from activating via internet, but if it did activate NAV2002 would have stopped it.

    Here is a pic of NAV2002 stopping it. http://server49.hypermart.net/vampirefo/NAV.gif
     
  14. FanJ

    FanJ Guest

  15. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    i'm in the same boat as billmac...i don't get ito_O

    i tried the text again with both browsers in several different ways and each time it would be the same results:  i'd get the first pop-up telling me it was going to see if it could create the 3 copies of CALC and that i should see an Active X warning too....(i never did see any Active X warnings though).....then i'd get the 2nd pop-up saying "in this test we only opened 3 copies of Calculator......"  (but there were no copies of Calculator or anything else but that 2nd pop-up box)

    Mickey, i did a search again on my Win98SE using the File Find...and then going in manually and searching the drive too...and no where do i have a file called WSHOM.OCX.....i don't even have the file called Wscript.exe.  i have no idea why though because i do have Wsh installed and the Calc.exe file installed.

    Win98SE
    Wscript.exe and WSHOM.OCX (not on system)
    Calc.exe and Wsh - installed
    McAfee Ver 4.0.4194, On-Line (just updated Dats prior to testing)
    SPF Ver 4.2 - active
    WG - active
    HTAstop - active
    TDS-3 - active
    IE 5.50 - all patches installed, Internet Zone at Med Security, ActiveX & Scripting Enabled.
    NetScape 4.76 with Java Script Enabled.

    (then tested the other pc)
    WinXP-Home
    Wscript.exe, WSHOM.OCX, Calc.exe, Wsh all installed on system.
    NOD32 Ver 4.2 - active
    SPF Ver 4.2 - active
    IE 6.0 - no patches installed (i just got this thing), Internet Zone at Med. Security, ActiveX & Scripting at Default Settings.

    i am still a bit lost with this test....from what i've read it's a good thing that the 3 Calcs didn't appear, but i am still unsure if i am vulnerable to this exploit, or not, or to what degree, since i didn't get the "You're immune verdict" either.  :-/
     
  16. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Mickey, it'd be damned hard to exploit IE's strengths - it hasn't got any!
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Like written above, if you've WormGuard installed you're protected. Had hoped for WG popping up with a warning maybe, but a lot is blocked in the background.
    You can try to disable WG a moment and do the test again and see if you come through it now?
    After don't forget to enable and test it again!
     
  18. Blacksheep

    Blacksheep Spyware Fighter

    Joined:
    Feb 9, 2002
    Posts:
    109
    Location:
    Missouri, USA
    snapdragin,

    Wscript.exe is the Windows scripting host for Win98SE

    http://service4.symantec.com/SUPPORT/nav.nsf/docid/2000050512031906&src=n
     
Loading...
Thread Status:
Not open for further replies.