Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Microsoft Redefines What Exploits Can Do (Again)

By 90X Double Side in Internet
Mon Mar 04, 2002 at 03:40:18 PM EST
Tags: Security (all tags)
Security

First you told your users that it was safe to look at email as long as they didn't execute any attachments, then a series of exploits in Outlook let malicious code execute as soon as an email was previewed. Later we started seeing exploits in Internet Explorer that would let a web page run malicious code, but again everyone was told that the web page would have to get you to download the code or have scripting enabled. Well, it's time to change your advice once again as an exploit has been found which allows you to execute code on an IE user's computer using nothing but XML.


This exploit affects Explorer, Outlook, and Outlook Express 5.5+ and uses the same technique an older jscript bug, but uses Microsoft's data binding technology to allow the exploit to run even on machines with Active Scripting and ActiveX disabled. Data binding is a technology that allows almost any kind of data to be bound to HTML without using any scripting.

No patch is available yet, but the discoverers (GreyMagic Software) suggest using regedit.exe to find [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] and change the value of "1004" (DWORD) to 0x3.

GreyMagic has also put up a web page demonstrating the vulnerability which allows you to type in the path of any program and have the web page execute it. Their default is set up for Windows NT, so you might want to try something like c:/windows/system32/notepad.exe. Worked like a charm on a fully patched Windows XP Professional box, and it has been tested on Windows 98, NT 4, 2000 as well.

Further coverage is available at The Register

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o exploit
o web page demonstrating the vulnerability
o The Register
o Also by 90X Double Side


Display: Sort:
Microsoft Redefines What Exploits Can Do (Again) | 50 comments (33 topical, 17 editorial, 0 hidden)
Correction (4.33 / 15) (#2)
by quartz on Mon Mar 04, 2002 at 01:54:11 PM EST

First you told your users that it was safe to look at email as long as they didn't execute any attachments

Um, no. I've always told my users it's safe to look at email as long as they aren't using Windows.



--
Fuck 'em if they can't take a joke, and fuck 'em even if they can.
And Pine (2.66 / 6) (#29)
by Vs on Mon Mar 04, 2002 at 03:53:00 PM EST

:-)
--
Where are the immoderate submissions?
[ Parent ]
Hm. (none / 0) (#41)
by Vs on Tue Mar 05, 2002 at 04:33:03 AM EST

Looks like we've got some Pain^wPine users around. Anyway, here's the link. Granted, it's 18 month old now.
--
Where are the immoderate submissions?
[ Parent ]
'Advanced' exploit did what they said (5.00 / 9) (#4)
by TheophileEscargot on Mon Mar 04, 2002 at 01:57:59 PM EST

Tested the advanced exploit on IE 6.0.2600.0000, and the exploit popped up Notepad as advertised. Remember to put in the correct path for your machine (Windows instead of Winnt in the path for example).

The registry hack they suggested to fix the hole does the trick tho.

This really sucks. I can't believe a text file in an untrusted zone can fire up a damn application, without even a "Are you sure..." prompt.
----
Support the nascent Mad Open Science movement... when we talk about "hundreds of eyeballs," we really mean it. Lagged2Death

Don't stay logged on as Administrator (4.25 / 4) (#12)
by demi on Mon Mar 04, 2002 at 02:20:31 PM EST

...if you are on a NT/XP machine. I think this yet another good example of why you should not do that. Nevertheless, a lot of people that should know better still do it.



Sure. (4.80 / 5) (#16)
by RandomPeon on Mon Mar 04, 2002 at 02:34:27 PM EST

Unfortunately, XP Home always grants you "root" priveleges since it would be too complicated otherwise.
BR IE exploits are far too common. Just too many of 'em. The browser should run as a very unpriveleged user like "browser". Restrict it's write priveleges to the download directory, etc. That would be the Unix way of dealing with potentially risky software.... It is a sad day when a client program has to be walled off like a public server.

[ Parent ]
XP Home (5.00 / 2) (#19)
by demi on Mon Mar 04, 2002 at 02:43:18 PM EST

Unfortunately, XP Home always grants you "root" priveleges since it would be too complicated otherwise.

Really? Never used it, but if that's true then XP Home is just as bad as Win9x as far as I'm concerned. And as for your view on how IE was merged with Windows Explorer, I agree completely. It might be more convenient for Windows Update, Product Activation, and intrusive 'auto-install' third party apps, but this problem highlights quite well the risks of executing system commands through ActiveX controls (whether or not they happen to be malicious).



[ Parent ]

NO, XP home does not necessarily run that way (4.00 / 2) (#22)
by yankeehack on Mon Mar 04, 2002 at 02:58:34 PM EST

XP home has two choices, you have the choice of the Administrator account or the Limited account. The confusion is that the Limited account is targeted to users like my three year old since I don't want her to change settings while she is playing her computer games. If you really wanted to be a prick, you could just have one Admin account and everyone else as a Limited. Although in my household, that setup wouldn't fly :-P

I tried running the exploit on an Admin account with a recently patched IE with a custom security level and it doesn't work on my machine.

No one who was bad in bed has ever been good in life (i.e. liberals, I've never had sex with a liberal woman who knew how to use her body.) Keeteel :-P I'm *right*!
[ Parent ]

For three year olds (3.50 / 4) (#26)
by ucblockhead on Mon Mar 04, 2002 at 03:05:01 PM EST

Unfortunately, the limited mode is barely useful for anyone doing serious work.
-----------------------
This is k5. We're all tools - duxup
[ Parent ]
Huh (5.00 / 1) (#40)
by RandomPeon on Tue Mar 05, 2002 at 04:11:40 AM EST

I'm probably wrong. I haven't used WinXP home ever. I was told at a presentation by an MS rep last year that all users would have all priveleges in the home version, but that was about 6 months before they released, and no sales guy ever gets their facts wrong of course. Still kind of annoying, although it's a step in the right direction. I can't say their decision is entirely wrong, the idea of users having limited access is somewhat daunting to the unitiated. But it still seems to make vulnerabilities more damaging.

[ Parent ]
No su (2.83 / 6) (#17)
by enterfornone on Mon Mar 04, 2002 at 02:37:20 PM EST

It would be nice to be able to run Windows as a standard user, but MS forces you to log out completely should you wish to administer your machine.

--
efn 26/m/syd
Will sponsor new accounts for porn.
[ Parent ]
"Run as" command (4.00 / 2) (#21)
by theR on Mon Mar 04, 2002 at 02:52:58 PM EST

It's not as functional as su or sudo, but it's a step in the right direction.



[ Parent ]
Control Panel? (none / 0) (#49)
by vrt3 on Tue Mar 05, 2002 at 05:48:27 PM EST

How do you do it for the Control Panel?

And while I'm busy, I have another question I would like to see answered (feel free to ignore):
In Windows 2000 Professional, stand alone: is it possible to specify different screen resolutions for different users? How?
If I try it, screen resolution always changes for all users.

When a man wants to murder a tiger, it's called sport; when the tiger wants to murder him it's called ferocity. -- George Bernard Shaw
[ Parent ]
I wish... (4.66 / 3) (#23)
by ucblockhead on Mon Mar 04, 2002 at 03:01:21 PM EST

I wish there were a good way of doing this. As a Windows Developer, this is nearly impossible. You need rights to too much stuff for it to be feasible to run as a standard user. This is in direct contrast to unix, where it is normal for developers to run in standard user shells.

Anything that does anything interesting needs system access. Windows doesn't have nice ways of doing this the way Unix does. I can't just throw things and a local bin directory and run from there. I can't just put things in local config files. No, I've got to access the damn registry, which requires the Admin access.
-----------------------
This is k5. We're all tools - duxup
[ Parent ]

In NT forward (4.50 / 2) (#27)
by Trevasel on Mon Mar 04, 2002 at 03:15:44 PM EST

There are full permissions on the registry. You can set the registry to only allow read access to important keys.

But the key thing is there is no quick and easy way that I know of to easily secure windows NT/2000/XP for normal users; simply running a non-administrator account leaves the system open to masssive compromise.
-- That which does not kill you only makes you stranger - Trevor Goodchild
[ Parent ]
No problem in Internet Explorer 4 (2.50 / 2) (#30)
by Sunir on Mon Mar 04, 2002 at 04:34:37 PM EST

I tried it with Internet Explorer 4 (on Win98), and the exploit doesn't work. That's the benefit of staying a few years behind the curve.

"Look! You're free! Go, and be free!" and everyone hated it for that. --r

yep (none / 0) (#42)
by boomi on Tue Mar 05, 2002 at 04:49:57 AM EST

Doesn't work in my win98.
It's IE 5 here.

[ Parent ]
Worked for me (5.00 / 3) (#31)
by dze27 on Mon Mar 04, 2002 at 04:39:38 PM EST

I copied some of the code into an HTML email in Outlook. It's quite a shock to open an email and have that calc.exe program pop up!

As others have mentioned, the registry hack works fine to stop the problem.

Has anyone figured out how to pass parameters to programs. I tried getting things like cmd /c "del foo" to work but it only seems to accept characters up to the first space.


"Luck is the residue of design" -- Branch Rickey


Try this (5.00 / 2) (#33)
by bleach on Mon Mar 04, 2002 at 05:02:03 PM EST

try to use the space as  

del foo.exe

or try urlencoding like.. %20

del%20foo.exe

Let me know if either of those works :) (I don't have a win box)


#define CODE "\270\105\000\000\303";
int (*foo)();main(){foo=CODE;printf("I like to %d\n",foo());}
[ Parent ]
Use %20 [nt] (2.66 / 3) (#35)
by nstenz on Mon Mar 04, 2002 at 05:18:44 PM EST



[ Parent ]
Ohh yeah, (5.00 / 1) (#34)
by bleach on Mon Mar 04, 2002 at 05:10:01 PM EST

I almost forgot, don't forget trying to use quotations " or ' either. :) Also, is it possible to do more than one command at a time?

Even if it isn't.. under windows can you directly touch something in the web page cache from the command line?

I'm imaging something like this...

The virus sends an email with a image in it, that image is not a valid gif, it is actually executable code. Then using the exploit above, it renames the gif in the internet cache to foo.exe, than executes foo.exe. That would be slick and give people one more reason to hate m$. (which is a good thing).

#define CODE "\270\105\000\000\303";
int (*foo)();main(){foo=CODE;printf("I like to %d\n",foo());}
[ Parent ]
Nope, you can't read from the cache. (5.00 / 2) (#36)
by nstenz on Mon Mar 04, 2002 at 05:22:13 PM EST

The "Temporary Internet Files" folder is a folder generated from some random GUID stored in the registry. It has several subfolders inside of it, which are named with random gibberish. It's not possible to know what the path to a cached file would be unless you can actually search through the directories and look.

There was an exploit a while back that exposed those random folder names so it would be possible to find that path- but that exploit has been fixed.

[ Parent ]

Positive spin (4.00 / 2) (#32)
by xrayspx on Mon Mar 04, 2002 at 04:59:57 PM EST

At the very least, running this exploit triggered Norton Anti Virus before allowing Notepad to launch. My copy of Norton is an expired 30 day trial on this particular machine, so i don't know what the warning would have been. I imagine it's something along the lines of:

Are you sure you want to allow this website to run notepad.exe


"I see one maggot, it all gets thrown away" -- My Wife
Odd... (4.00 / 1) (#44)
by dasunt on Tue Mar 05, 2002 at 10:30:10 AM EST

NAV 2002 doesn't seem to prevent anything on win2k pro.

[ Parent ]
That is strange (none / 0) (#47)
by xrayspx on Tue Mar 05, 2002 at 01:00:02 PM EST

Confirmed. I just ran on Win2k-Pro with a REGISTERED Norton AV, and nothing happened. I wonder what the deal is with the expired trial version that stops this happening right away.

It should be noted that it doesn't stop the browser from launching the code, it just popped up the NAV menu saying it was expired. As soon as I cleared that menu it immediately ran Notepad.


"I see one maggot, it all gets thrown away" -- My Wife
[ Parent ]
MS viral innovation (5.00 / 8) (#37)
by deadplant on Mon Mar 04, 2002 at 05:25:24 PM EST

I thought MS was supposed to be having a special "stop everything and fix the security holes" month. I was expecting that exercise to result in a flood of security advisories and patches from MS... but it hasn't come! There've been plenty of nasty nasty security holes but they're all still coming from security experts outside redmond. So what's the deal? did the MS techs have a good look and not find anything???

hmm, maybe they just spent the whole month explaining the concept of a buffer overflow to their programmers...

p.s.

Another issue with windows media player was mentioned on bugtraq around the same time as this IE "innerHTML" injection thingy. MP will not respect file extensions, so you can create an asf or wma file that includes URLs that will 'pop-up' in IE when you play the file... then you can rename the file to .mp3 and all those poor fools out there (myself included) who thought mp3 files were perfectly safe (they are after all just a little music, no code there) will try to play the mp3 and get a screenfull of porn ads and/or be bombarded with every IE exploit known to man.

WARNING! text, sound and video can all carry viruses if you use windows.

first it was documents, then it was email, now it's music/video. MS is busy expanding possibilities for viruses and worms.



winamp :) (none / 0) (#45)
by beez on Tue Mar 05, 2002 at 11:00:40 AM EST

I thought everyone used Winamp for mp3 and wma!

[ Parent ]
Or. . . (5.00 / 2) (#48)
by Frijoles on Tue Mar 05, 2002 at 04:15:10 PM EST

I can create one of your fake MP3 files and distribute it to gnutella.. Britney2002.mp3 or something. Then when it opens, it hits my page, which autoruns the exploit featured in this article. But instead of calc.exe coming up, I run format.com%20c:\%20/q%20/y (that right?).

Maybe put a little jingle or something for users who are being formatted. Something along those lines anyway. We just played with this at work and the exploit works on all of our machines. Pretty nasty. The IT director is freaking out (since this isn't an attachment that can be blocked, and patching 1000+ computers should prove to be fun). Ah well.. at least I'm just a web guy. :)



[ Parent ]
A better explanation and patch (5.00 / 4) (#38)
by bugstomper on Mon Mar 04, 2002 at 08:55:40 PM EST

There's what I think is a better explanation of how the exploit works and a patch program that lets you change the registry entries here [edensoft.com]

The exploit is actually based on the fact that the source file specified for an ActiveX control does not have to be a foo.cab archive file, it can be an executable. If it is, then downloading and installing it involves running the executable. There is no check to ensure that the file really does contain an ActiveX control. Combine that with the inability to disable download of ActiveX controls from the local file store security zone and you have an exploit.

Rather than disable ActiveX downloads completely, EdenSoft's patch program just sets it to prompt. What's really interesting is they found a registry setting that enables the My Computer zone in IE's Security configuration dialogs so you can set this for yourself without tweaking the registry each time. It was there all along, but Microsoft hides it for some reason.

xml based exploits (4.66 / 3) (#39)
by walkah on Mon Mar 04, 2002 at 11:52:47 PM EST

well... with the inevitable oncoming wave of xml-based rpc services (xml-rpc, soap, et. al) this, I'm sure, will only be one in a long gruesome line of "xml" exploits.

but, god, what a pain for script kiddies having to make sure their 'sploits are well-formed!

Doesn't work for me (4.00 / 1) (#43)
by octothorpe on Tue Mar 05, 2002 at 09:11:28 AM EST

I'm running Win2KSP2 with IE 5.00 and I get a pop-up saying, "Your current security settings prohibit running ActiveX controls in this page." I've never changed anything in the registry on this box but I may have fiddled with the IE settings. So either it's blocked by default or there is a way to block it without hacking the registry. Anyone know what I did right? PS I Usually browse with Mozilla on RH7.2 so this is not a big issue for me.

Same here (none / 0) (#46)
by beez on Tue Mar 05, 2002 at 11:03:16 AM EST

IE 5.5 on Win2ksp2 won't run either flavor of this exploit for me.

[ Parent ]
Vulnerable versions (none / 0) (#50)
by womble on Thu Mar 07, 2002 at 02:39:32 PM EST

This exploit only works under 5.5 and 6.0. However, if you stick with an earlier version of IE you may find you can no longer get patches for other security holes.

[ Parent ]
Microsoft Redefines What Exploits Can Do (Again) | 50 comments (33 topical, 17 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!