<<< Date Index >>>     <<< Thread Index >>>

Re: [security] What A Click! [Internet Explorer]



yossarian wrote:

> There is an easy trick to avoid a .HTA related 'thingie' such as this
> one: tell your windows to open .HTA files in notepad.  It broke the
> beautifull PoC I guess, had it in place as long as this particular
> machine (2 years or so), it never broke anything before.



Is there a method of sandboxing the .HTA files? I mean, everything web,
should stay web?

>
> Second hint for people protecting lusers: design a nice corporate
> colors standard theme and disable the standard theme. Exit this kind
> of attack (since there are more ways to cover windows with malicious
> lookalikes).
>
> regards,
>
> yossarian
>
> ----- Original Message ----- From: "mikx" <mikx@xxxxxxx>
> To: <full-disclosure@xxxxxxxxxxxxxxxxx>
> Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
> Sent: Tuesday, January 24, 2006 8:06 PM
> Subject: [security] What A Click! [Internet Explorer]
>
>
>> It's now almost 18 months ago that i posted my first security
>> advisory "What A Drag! -revisited-", seems to be a good time to post
>> "What A Click!".
>>
>> Both bugs had about the same exploit potential, but i assume this one
>> will have far less impact and media response (which i consider a
>> great thing for various reasons). Thanks to everybody who researched,
>> worked, chatted, discussed and got drunk with me in the last months
>> to make this change happen - you know who you are.
>>
>> __Summary
>>
>> Using custom Microsoft Agent characters it is possible to cover any
>> kind of windows, including security or download dialogs. This is an
>> expected feature of the Microsoft Agent control. To quote the product
>> homepage: "Animations are drawn on top of any underlying application
>> window, characters are not bounded within their own, separate window"
>> (http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom
>> characters can be created with tools downloadable from that homepage.
>>
>> Because custom characters are fully scriptable, can have any kind of
>> shape and are downloaded automaticly, this can be used as a flexible
>> tool to cover and/or spoof any kind of window and lure the user to
>> execute arbitrary code by performing one or two clicks (depening on
>> security zone configuration and Windows version).
>>
>> __Proof-of-Concept
>>
>> http://www.mikx.de/fireclicking/
>>
>> The PoC is designed for Internet Explorer 6 on Windows XP SP2 in
>> Windows classic theme. By clicking on the button in the upper left
>> corner you start the download of a hta file. The download dialog gets
>> covered by a Microsoft Agent character which fakes a button (basicly
>> a large white image with a button border in the middle). Move the
>> character by dragging to see how it uses a "transparent spot" to make
>> room for clicking on the underlying dialog through the button space.
>> Transparent areas in characters are really "not there", meaning you
>> can click through them.
>>
>> When you click that button you execute arbitraty code in the hta
>> file, in this case you create the folder "c:\booom!". The button in
>> the upper left corner is only need to get around the "drive by
>> download" protection of Windows. When this protection is not in place
>> (e.g. on Windows 2000) this PoC could be reduced to a single click
>> interaction to execute arbitrary code.
>>
>> __Status
>>
>> The bug got fixed as part of the Microsoft Security Bulletin MS05-032
>> (yeah, last summer).
>>
>> The patch adds an additional security dialog before loading a custom
>> agent character. Be aware that in trusted zones that dialog might not
>> raise.
>>
>> 2004-10-04 Vendor informed
>> 2004-10-06 Vendor opened case, could not repro
>> 2004-10-06 Vendor got new testcase
>> 2004-10-12 Vendor confirmed bug
>> 2005-06-14 Vendor relased patch and advisory
>> 2006-01-22 Public disclosure
>>
>> __Affected Software
>>
>> Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003
>> with different severity. See Microsoft Security Bulletin MS05-032 for
>> details.
>>
>> __Contact
>>
>> Michael Krax <mikx@xxxxxxx>
>> http://www.mikx.de/
>>
>> mikx
>>
>>
>> _______________________________________________
>> Get your free port scan here: http://www.seifried.org/freescan2/
>>
>> security mailing list
>> security@xxxxxxxxxxxxxxxxxx
>> https://lists.seifried.org/mailman/listinfo/security 
>
>
>


-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/