In response to Bryan's article about the possible dangers of HTML applications me and a colleague (Jesse Raccio) worked up a demonstration for our security personal to demonstrate the possible threat. The HTA we developed displays a pop up frame that contains some trivial text and a VBScript that will download an executable from a specified web site and place it into the Win98 startup group as well as upload any .PWL files that exist in the Windows Root directory. Here's How it works. This application works by using the IE 5 and FileSystemObject Active X controls and some very simple scripting. The first thing the HTA does is use IE to view an exe file (renamed to a txt extension) on the remote web server. This places the exe into IE's cache for later retrieval. We had to do this because Micro$oft has apparently gone through (not so) great lengths to prevent the writing of binary files through HTA's. We then use the FileSystemObject to move and rename our cached exe to a more suitable location (In this case that startup directory). This same technique can be used to trojan any file the current user has access too. We have no reason not to believe that this will also work on NT. (We have a demo we just can't test it at the moment) Solution Disable File Downloads or disassociate .HTA files from MSHTA.exe. Disabling scripting does not stop this, we believe it is dew to the fact that the HTA is already on the local system at the time of execution, thus making it trusted.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:03 PDT