RE: How to Break Windows XP SP2 + Internet Explorer 6 SP2
I successfully reproduced this exploit on a fully patched XPSP2
installation and can verify that malware.htm is planted locally after
which HTML Help is used to launch it and circumvent the XPSP2 browser
security improvements, compromising the system.
However, this exploit did not work on any systems with Qwik-Fix Pro
installed, from Windows 95 to Windows XP Service Pack 2. A free Home
edition and a trial Corporate edition is available for download at
http://www.pivx.com/qwikfixDownload.asp
Before you can successfully use any Drag'n'Drop technique or script
shortcuts to plant a file on the local system you first need to be able
to reference local content. If you cannot reference local contents or
directories from the Internet zone then you cannot retrieve the window
handle that is necessary for any Drag'n'Drop exploits or any
cross-domain scripting exploits.
IE6SP1 initially blocked all direct references to the FILE:// and RES://
protocols which I demonstrated how to circumvent through the OBJECT
element. This was quickly patched in the next cumulative security update
and thereby blocked the traditional cross-domain scripting exploits.
XPSP2 went further and tightened down the Local Machine Zone with the
recommendations PivX Labs made public in late 2003 so that even if you
could find a way to reference local content and subsequently inject
scripting through a cross-domain vulnerability you would not be able to
accomplish anything. This LMZ lockdown has a per-process exception list
in which HTML Help is included.
When the LMZ is locked down attackers have to find alternative attack
vectors, of which the Drag'n'Drop vulnerability is a prime example. When
IE renders an IMG element it gives priority to the SRC attribute but
when IE drops an IMG element on an arbitrary window it gives priority to
the DYNSRC attribute. If you are able to reference any local content you
can therefore drop the DYNSRC attribute of the IMG element on the window
with local content and thereby plant a file on the file system in a
known location.
The browser security improvements in XPSP2 does not include further
restrictions on referencing local content which is why the Drag'n'Drop
exploits to this date affect fully patched XPSP2 systems. Qwik-Fix Pro
restricts local content referencing through a number of means of which
one is responsible for protecting against this exploit:
In order for http-equiv's exploit to work the "ceegar.html" file uses
the AnchorClick behavior to open "C:\WINDOWS\PCHealth\" in a named
window which is then used as a drop target for the DYNSRC pointing to
the "malwarez" file. When any behavior in IE tries to list a local
directory it uses the Shell.Explorer ActiveX object, an object which has
no justification of use inside the browser but which is heavily used by
Windows Explorer itself.
Setting the Kill Bit on the Shell.Explorer ActiveX object prevents IE
from referencing local directories in a window object, whether it's
through AnchorClick behavior or some other approach that we discover
tomorrow. The GUID for Shell.Explorer is
{8856F961-340A-11D0-A96B-00C04FD705A2} and Knowledge Base article 240797
(http://support.microsoft.com/?kbid=240797 ) explains how the process
works.
PivX Labs released a freely available registry fix that sets the Kill
Bit on Shell.Explorer almost 2 months ago which can be downloaded from
http://www.pivx.com/research/freefixes/neutershellexplorer.reg
For clarity, here are the file contents:
=== neutershellexplorer.reg ===
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}]
"Compatibility Flags"=dword:00000400
=== neutershellexplorer.reg ===
PivX Labs has covered this topic several times before on the Unpatched
mailing list which receives advance notification of our security
research, including several Win95-XPSP2 vulnerabilities that will be
released in the interim future. For more information or to subscribe you
can visit
http://unpatched.pivxlabs.com
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9
PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of
http-equiv@xxxxxxxxxx
Sent: Wednesday, October 20, 2004 5:36 AM
To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
Subject: How to Break Windows XP SP2 + Internet Explorer 6 SP2
Snip
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0410&L=ntbugtraq
&F=P&S=&P=10781
Snip http://tinyurl.com/4xeww