Systems Affected : Internet Explorer 6.0.2800 (6.x?) Remotely exploitable: Yes Author: Marek Bialoglowy (System Integra - mbat_private) Attached files: dmz2.rar (archive password:zones) Note: This is part of my research and the purpose of this post is to consult results and potential vulnerability with the wider group of security experts. -------- # Introduction I've found some sample VB script created by person using nickname 'netric' and creating large number of FRAMES in Internet Explorer and mass executing 'telnet://www.microsoft.com:80' requests. I believe this dangerous VBS scripts is known to everyone already (AVP recognizes it as Trojan.VBS.IFram). Well, I believe it is right moment to inform Bugtraq about some potential critical vulnerability in Internet Explorer version 6 (maybe 5.5 also ?), which used together with this script (version modified by me: dmz2.html file) could provide easy way to intrude large number of workstations on LAN. I've found this security problem while doing research on techniques of delivering passive Trojans executables trough Outlook Express and Internet Explorer - anyways very advanced Trojans (project "UTP" for people familiar with this name). # Vulnerability I've noticed that on my test environment it is possible to bypass Internet Explorer Zones protection by flooding it with large number of file:// requests in example to infected fileserver. The result of this bypass is EXECUTION OF ANY REQUESTED FILE. My requested file was 'trojan.exe' placed on neighbour WIN2K Professional workstation. To see code used during the test check files in attached archive. On IE 6.0 the result was always the same, after more than 200 dialog boxes with 'trojan.exe' request, suddenly requested file got executed. For the purpose of this test I've used two Win2K and WinXP workstations with Internet Explorer 6.0.2800.1106 (I believe that's most recent version of IE) and on both workstations opening the 'dmz1.html' file trough LAN share resulted in executing 'trojan.exe' application. My Internet Security Zone was set to "MEDIUM". Internet Explorer 5.x doesn't seam to be vulnerable. I didn't have a chance to test it on other version of IE 6.x different than 6.0.2800. One person reported to me that this bug has not affected IE 6.0.2600. # Exploitation Well, to make it short: possibility of giving our evil HTML file .jpg extension, so our "dmz2.html" becomes "photo1.jpg", dramatically increase scale of the vulnerability. I don't think any Internet Explorer user is suspecting threat from simple .jpg file ?!? It is also quite hard to stop all these windows suddenly popping up due to executed VBscript. I believe people are actually expecting quite high threat from browsing websites (in this case we can use dmz1.html exploit) using IE and rather don't expect anything harmful from connecting to http://somewhere.com/pics/photo1.jpg URL (right?). I will also mention that it requires at least 200 request windows to pop-up, so if user will kill the iexplorer.exe process before 200 requests will pop-up then attack won't be successful. I think best method of exploitation is to use VBscript openning the file requests rather than a single file with requests as SRC of FRAMEs. Presented methods are just few of many other techniques which which could be used to exploit this vulnerability. I don't see potential threat coming from Internet, because this little thing requires executing > 200 windows which will be quite hard on standard Internet connection. I believe this vulnerability is dangerous mostly on LAN, oh and certainly it can allow executing any local file from Internet (I was not able to execute local file on WinXP). # Solution Well, wait for patches ? Other browsers are probably not vulnerable (checked on Opera). You can also set the Security Zone to HIGH. Oh and the dangerous VBS script is recognized by AVP and some other antivirus software, so this is already part of the solution. -------- Anyways, I am waiting for feedback to confirm my results. Thank you. PS: Regards to segfault.net and "Lam3rz" group for interesting knowledge exchange. Best Regards, Marek Bialoglowy (mbat_private) Information Security Expert PGPkey: http://www.systemintegra.com/pgp/ultor.asc | ID: 0x4B36656E JOB: (CTO) System Integra | JKT, Indonesia | Timezone: JAVT, GMT +7
This archive was generated by hypermail 2b30 : Fri May 09 2003 - 08:30:39 PDT
