PATCHED?

DISABLE ACTIVESCRIPTING & ACTIVEX CONTROLS?


It would appear that setting the so-called Security Zone to "Restricted Sites" does shut it down quite efficiently. This is owing to the delivery of the file via ActiveX controls which is disallowed. However, there is a good possibility that the "Restricted Sites" Zone can be defeated.

Consider the following:

1. It is understood that the so-called Security Zone settings are only applied to files that are in the Temporary Internet Files folder. It assumes that all other files on the computer are safe.

2. If that is the case, in order to defeat the so-called Security Zone settings, we would need to place our files on the target computer anywhere except the Temporary Internet Files folder.

Can we do that?

(a) IE5 and accompanying mail and news client can do this for us. Through them we can inject our files into the temp folder for later retrieval .

How so?

(b) manufacture the file that you wish to place in the target computer's temp folder. This can be a simple combination ActiveX and ActiveScripting file which we would like to trigger later, or an elaborate "Silent delivery and installation of an executable on a target computer" file as detailed before.

c) run the file through the mail or news client effectively embedding it in base64. Thereafter save the file as either *.nws, *.eml or *.mhtml.

(d) we then create a second new html email or html news post and embed the file that we want to deliver, in it. We do this by creating a simple html frameset and embed the file to be delivered in that:

<frameset rows="10%,*">
<frame src="FILE_TO_BE_DELIVERED.MHTML" >
</frameset>


(e) we then run this combination of files through the mail or news client
and effectively embed both in base64.


What will happen?

When the combination file is opened, it will read the embedded file contained within it, through the frames and deposit the file, with full name intact, into the c:/windows/temp folder, where we can call it later. From this location we are out of the so-called Security Zone and can do as we please.

But ActiveScripting is Disabled?

In the second file, along with the html frameset we include the very simple
HTTP-EQUIV meta tag known as refresh.

<meta http-equiv="refresh"content="30; url=mhtml:file://C:\WINDOWS\TEMP\k00l.mhtml">

The meta refresh does not appear to be affected by ActiveScripting being disabled. What happens is because the file we are calling is located in the c:/windows/temp folder, we are inside (or outside) any setting of the so-called  Security Zones. The browser will bounce to our file in the temp folder and open it locally. Our file in the temp folder can contain all sorts of goodies including "Silent delivery and installation of an executable on a target computer". As we are now local, anything and everything will work, including all ActiveScripting and all ActiveX controls. The following set of working examples include just that. The first incorporating an executable (*.exe), the second containing nothing more than ActiveScripting and an ActiveX control.

These have been tested on IE5.0 and IE5.1 (both updated with all security patches as of time of writing) with everything disabled in the so-called Security Zone including ActiveScripting, running of ActiveX controls etc.

Every possible selection under Custom Level set to: DISABLE

[IE5.5 being beta fails. However it raises other curious possibilities]

Important Notes:

1. The working examples below represent a generic and diluted approach in order to keep things simple.
2. The meta refresh tag doesn't work from inside the html email or html news post. There is a workaround for that. It does of course work in the browser.
3. There is the limitation of having a setTimeout independent of the ActiveScripting in the files via the meta refresh tag as it could fire before the files have been delivered.
4. The file name references appear to be extremely sensitive, the examples should work 99.99% of the time.
5. Again it requires a default  installation of Windows 95 and 98 where the
temp folder is c:/windows/temp.

DISCLAIMER

Working Examples:


Nota Bena: there appears to be some confusion over the following examples. As indicated these are web based and must be executed off the web (directly from the links). Not saved to disk and then tested. Additionally owing to the server where they reside not being particularly robust, should a 'page not found' error occur simply hit refresh!

You will then find a blank screen with a small window at the top with white text. Thereafter wait exactly 30 seconds.

1.The first example incorporates a different harmless joke program. It is quite popular and has not too long ago been added to several Anti-Virus databases (or signature files).  There is a good possibility that your Anti-Virus software will disallow the "Silent delivery and installation of an executable on a target computer" for that reason. There is an even better chance it will not even know what is happening. This working example is set to an unnecessary lengthy delay to allow for download on feeble i-connections. The delay is 30 seconds:

http://members.xoom.com/malware/0uch.mhtml  42KB

2. The second is a whimsical example of pure text containing ActiveScripting and a pre-registered ActiveX control, you'll find the operation of the ActiveX control in the main browser window and you won't miss the operation of the ActiveScripting.

note: don't do this test if you do not know how to reset your browser

http://members.xoom.com/malware/k00l.mhtml  5KB


submitted Sun, 4 June 2000 to BUGTRAQ

[ 20 July, 2000 - Manufacturer's Solution:

http://www.microsoft.com/technet/security/bulletin/MS00-046.asp ]


update: Tuesday, June 6, 2000

There still remains that tiny percentile of failure. But as discussed for the purposes of a generic and diluted working example, it should demonstrate quite effectively that we can indeed skirt the radar system, the so-called Security Zone. That very small possibility of failure owing to (a) an independent setTimeout via the meta tag and (b) the particularly sensitive file path structure that is required to achieve this with no user input.

Can we overcome this?

Yes indeed. We can achieve 100% results, but we must give back an equally tiny percentile. We can come in under the radar, deliver the file to where we want it for later retrieval and call it later with 100% certainty, all directly from an html email with every setting in the so-called Security Zone set to: DISABLE.

The modus operandi is less spectacular than the previous, but the results are guaranteed. We will examine this in closer detail next.

� copyright 2000 malware.com