Subject: [NT] IE vulnerability allows execution of arbitrary programs (.chm files and temporary file folder) Date: Mon, 20 Nov 2000 23:56:27 +0100 IE vulnerability allows execution of arbitrary programs (.chm files and temporary file folder) ------------------------------------------------------------------------ SUMMARY There is a security vulnerability in IE 5.5, Outlook and Outlook Express which allows executing arbitrarily programs using .chm files and also reveals the location of the temporary internet files folder. This may enable attackers to gain full control over a target user's computer. DETAILS Vulnerable systems: IE 5.5/Outlook/Outlook Express A similar vulnerability regarding .chm files was reported some time ago and Microsoft fixed it by allowing .chm files to run programs only if the .chm was loaded from the local file system. However, it is possible to find the temporary Internet files folder and locate the locally stored .chm file. The temporary folders normally have random names. The following HTML code: Where EXAMPLE.COM is a web server or alias that is different from the web server from which the HTML page is loaded may reveal one of the temporary Internet files folders thru "document.URL". Once a temporary Internet files folder name is known it is possible to cache a .chm in any temporary Internet files folder and then use window.showHelp() to execute it. There are other ways to execute programs once a temporary Internet files folder is known and the document is cached in it but showHelp() seems to be the simplest. If the demonstration (a link is provided below) does not work wait a minute and reload the page or increase the number of "chm*.chm" files in and showHelp() or increase the time to wait if it is insufficient to download the chm files. Exploit: ---------chmtempmain.html------------------------------------------
The object below must be loaded from a server with name different from the parent document - it may be the same server but use the IP address or another alias.
If this does not work try increasing the number of "chm*.chm" in IMG and showHelp.
--------------------------------------------------------------------- --------chtmtemp.html------------------------------------------------ --------------------------------------------------------------------- Workaround: Disable Active Scripting Demonstration: A live demonstration is available at: http://www.guninski.com/chmtempmain.html ADDITIONAL INFORMATION The information has been provided by Georgi Guninski. ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.