Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: [security] What A Click! [Internet Explorer]

from [yossarian] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: [security] What A Click! [Internet Explorer]
Date: Fri, 27 Jan 2006 01:31:21 +0100
There is an easy trick to avoid a .HTA related 'thingie' such as this one: tell your windows to open .HTA files in notepad. It broke the beautifull PoC I guess, had it in place as long as this particular machine (2 years or so), it never broke anything before.

Second hint for people protecting lusers: design a nice corporate colors standard theme and disable the standard theme. Exit this kind of attack (since there are more ways to cover windows with malicious lookalikes).

regards,

yossarian

----- Original Message ----- From: "mikx" <mikx@mikx.de>
To: <full-disclosure@lists.grok.org.uk>
Cc: <bugtraq@securityfocus.com>
Sent: Tuesday, January 24, 2006 8:06 PM
Subject: [security] What A Click! [Internet Explorer]


It's now almost 18 months ago that i posted my first security advisory "What A Drag! -revisited-", seems to be a good time to post "What A Click!".

Both bugs had about the same exploit potential, but i assume this one will have far less impact and media response (which i consider a great thing for various reasons). Thanks to everybody who researched, worked, chatted, discussed and got drunk with me in the last months to make this change happen - you know who you are.

__Summary

Using custom Microsoft Agent characters it is possible to cover any kind of windows, including security or download dialogs. This is an expected feature of the Microsoft Agent control. To quote the product homepage: "Animations are drawn on top of any underlying application window, characters are not bounded within their own, separate window" (http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom characters can be created with tools downloadable from that homepage.

Because custom characters are fully scriptable, can have any kind of shape and are downloaded automaticly, this can be used as a flexible tool to cover and/or spoof any kind of window and lure the user to execute arbitrary code by performing one or two clicks (depening on security zone configuration and Windows version).

__Proof-of-Concept

http://www.mikx.de/fireclicking/

The PoC is designed for Internet Explorer 6 on Windows XP SP2 in Windows classic theme. By clicking on the button in the upper left corner you start the download of a hta file. The download dialog gets covered by a Microsoft Agent character which fakes a button (basicly a large white image with a button border in the middle). Move the character by dragging to see how it uses a "transparent spot" to make room for clicking on the underlying dialog through the button space. Transparent areas in characters are really "not there", meaning you can click through them.

When you click that button you execute arbitraty code in the hta file, in this case you create the folder "c:\booom!". The button in the upper left corner is only need to get around the "drive by download" protection of Windows. When this protection is not in place (e.g. on Windows 2000) this PoC could be reduced to a single click interaction to execute arbitrary code.

__Status

The bug got fixed as part of the Microsoft Security Bulletin MS05-032 (yeah, last summer).

The patch adds an additional security dialog before loading a custom agent character. Be aware that in trusted zones that dialog might not raise.

2004-10-04 Vendor informed
2004-10-06 Vendor opened case, could not repro
2004-10-06 Vendor got new testcase
2004-10-12 Vendor confirmed bug
2005-06-14 Vendor relased patch and advisory
2006-01-22 Public disclosure

__Affected Software

Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003 with different severity. See Microsoft Security Bulletin MS05-032 for details.

__Contact

Michael Krax <mikx@mikx.de>
http://www.mikx.de/

mikx


_______________________________________________
Get your free port scan here: http://www.seifried.org/freescan2/

security mailing list
security@lists.seifried.org
https://lists.seifried.org/mailman/listinfo/security 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ MDKSA-2006:022 ] - Updated perl-Convert-UUlib packages fix vulnerability, security
Next by Date:  BitComet URI Proof of Concept, nick58
Previous by Thread:  [Full-disclosure] What A Click! [Internet Explorer], mikx
Next by Thread:  Re: [security] What A Click! [Internet Explorer], Lance James
Indexes:  [Date] [Thread] [Top] [All Lists]