Pop-Up Bug Notes First, adding an addendum about the bug which Dave Ahmad discovered: This can be used with the window object as well, when setting the document body's innerHTML property and using method "window.open()". This information has been forwarded to the vendor. Secondly, there are a number of issues about this bug which I go into below. I do not believe I am in error, if I am feel free to point it out to me: By itself it is a violation of a basic security principle (that remote, malicious users should not be able to control the execution of software). What sort of exploits it would work with, otherwise (Least to worst): ->It is a DoS ->User's can be tricked to manipulating their own programs because the pop-up object allows for obscuring dialogs, according to Guninski's Oct bug on the object which still works after all tests. -> Code can normally be executed in the Codebase tag, if code can be executed within this object it could be dangerous. (See below). -> If it is found that a parameter can be passed either through the PARAM tag or through url wrangling such as with the "telnet:%20-f" bug, then a remote user could take total control of the system. They could format the disk, use the command prompt to download and execute trojans, etc. -> The object is being executed in My Computer security zone, ie, the codebase problem is a Microsoft "feature", it just should only work in My Computer Zone -- not remotely. This can be tested by seperating the object from the script and viewing the page remotely versus on My Computer. Some of the problems with this: Internet - Default Settings Download signed Activex controls - Prompt Download unsigned Activex controls - Disable Initialize and script Activex controls Not Marked As Safe for Scripting - Disable Java Permissions - High Safety My Computer - Default Settings Download signed Activex controls - Enable Download unsigned Activex controls - Enable Initialize and script Activex controls Not Marked As Safe for Scripting - Prompt Java Permissions - Medium Safety This means you could just sign your activex and have it set itself "Safe for Scripting" and it will do so without a prompt. Signing activex is relatively inexpensive and there are no checks done on the code. I am not sure how Java could be used with this, I haven't played with the settings enough. However, the object tag is used for applets now according to the w3c standards. --- the Pull <osioniusxat_private> wrote: > Internet Explorer Pop-Up OBJECT Tag Bug > > Class: Failure to Handle Exceptional Conditions > Remote: Yes > Local: Yes > Found: January 10, 2001 > Severity: Moderate > Vulnerable: IE 6.0.2600.0000 > + Windows 2000 Update Versions: Q312461; > Q240308;Q313675 > > > > > Discussion: The PopUp object allows the insertion of > embedded objects; they run in a high privilege space > allowing the execution of local applications > remotely. > (Using the codebase tag, courtesy of Dildog and > Microsoft). > > Caveats, Notes: Under initial testing scripting was > not possible in the popup object, nor could I pass > parameters to the executables. Regardless, there may > be more dangerous examples of code being put within > the popup object as it seems to do almost no > internal > checking at all. > > Exploits: http://www.osioniusx.com > > "funRun.html" - This page shows how you can run just > about anything you want on a Windows system remotely > from IE if it is on the user's system. I have > included > in it two sections: one section demonstrating > running > applications through the popup object; the second > section demonstrating opening up control panels and > the like from the earlier released bug > "directoryInfo.html", ie the "file://::{CLSID}" > feature of IE. > > > Potential Solution: Fix required on the popup > object. > > Workaround Suggestions: Disable ActiveScripting, use > Netscape on untrusted sites, browse trusted sites > only, do not allow ActiveScripting to be parsed in > emails or newsposts > > Vendor Status: Emailed "Secureat_private" > > Disclosure Policy: I am not opposed to more warning > for advisories and decide on that on a case by case > situation. See Also, FullDisclosure.txt. > > > __________________________________________________ > Do You Yahoo!? > Send FREE video emails in Yahoo! Mail! > http://promo.yahoo.com/videomail/ __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 16:16:55 PST