|
|
| |
The dangers of using HTML applications (.hta) have been discussed previously. This theoretical threat has now been proven and can be tested for, by using the attached exploit code.
The HTA exploit code displays a pop up frame that contains some trivial text and a VBScript that will download an executable from a specified web site. The script places the executable in the Windows 98 startup group and uploads any .PWL (windows password) files that exist in the Windows Root directory. |
| |
Credit:
The HTA exploit (provided by Steve Posick) can be downloaded here: http://www.securiteam.com/exploits/hta.zip
|
| |
Details:
This application works by using the Internet Explorer 5 and FileSystemObject ActiveX controls and some very simple scripting. The first thing the HTA does is use IE to view an exe file (renamed to a txt extension) on the remote web server. This places the exe into IE's cache for later retrieval. This had to do be done because Microsoft has apparently gone through (not so) great lengths to prevent the writing of binary files through HTAs. Then the exploit code uses the FileSystemObject to move and rename our cached exe to a more suitable location (In this case the startup directory). This same technique can be used to Trojan any file the current user has access too. There is no visible reason why this should not also work under Windows NT.
Solution:
Disable File Downloads or disassociate .HTA files from MSHTA.exe. Disabling scripting does not eliminate the threat since the fact that the HTA is on the local system at the time of execution makes the script trusted.
|
|
|
|
|
