Re: DOS Exploit Executing programs

From: Budget Print Center (budget(nospam)print_at_1usa.net)
Date: 11/03/04 

Date: Wed, 3 Nov 2004 15:02:32 -0500

homework? 

-- 
"Display tolerance & kindness to those with less
knowledge than you because there is ALWAYS
someone with more"
"Tony" <anonymous@discussions.microsoft.com> wrote in message
news:3c6c01c4c1d6$d378fbe0$a301280a@phx.gbl...
> Hi, Every time I run Spybot-SD Resident it shows a DOS
> exploit.The fix I got follows:
>
> GreyMagic Security Advisory GM#001-IE
> By GreyMagic Software, Israel.
> 27 Feb 2002.
> Topic: DSO Exploit - Executing programs without Scripting
> or ActiveX.
>
> SPYBOT USERS FAQ:
> Q: Can you help me understand how to resolve the DSO
> Exploit issue?
>
> A: Unfortunately no, GreyMagic does not provide any
> support for this or any other issue we have revealed in
> our security research. Questions and help queries should
> be forwarded to Spybot or Microsoft. Emails concerning
> this issue are automatically filtered and cannot be read
> or acknowledged in any way.
>
> Q: Did you put this spyware / exploit / vulnerability on
> my computer?
>
> A: Absolutely not. GreyMagic detected this issue in
> Microsoft Internet Explorer and reported it to the public.
> GreyMagic does not produce nor will it ever produce
> spyware.
>
> The following text is a technical analysis of the
> vulnerability. This is the reason Spybot directed you
> here.
>
> Discovery date: 25 Feb 2002.
>
> Affected applications:
> Any application that hosts the WebBrowser control (5.5+)
> is affected since this exploit does not require Active
> Scripting or ActiveX. Some of these applications are:
>
> Microsoft Internet Explorer
> Microsoft Outlook
> Microsoft Outlook Express
> Introduction:
> In an advisory from Jan 10 2002 "The Pull" demonstrated
> how it is still possible to use an older bug (initially
> discovered by Dildog) in the <object> HTML element to run
> arbitrary commands.
>
> Although "The Pull"'s findings were interesting, his
> analysis of the re-found bug was erroneous, the problem
> does not lie within the Popup object, the problem is with
> dynamically inserted HTML fragments at any point in the
> document.
>
> All "createPopup" does is create a (featureless) window
> containing an empty HTML document, this does not pose a
> threat, but later on, that document has HTML injected to
> it (using innerHTML), which is the actual problem.
>
> For example, the following code will work just the same:
>
> <span id="oSpan"></span>
> <script language="jscript" defer>
>     oSpan.innerHTML='<object classid="clsid:11111111-1111-
> 1111-1111-111111111111"
> codebase="c:/winnt/system32/calc.exe"></object>';
> </script>
> (Note: innerHTML is not the only property used to
> dynamically insert HTML to any element, it is also
> possible to use outerHTML, insertAdjacentHTML and more to
> gain the same results.)
>
> Discussion:
> So now that we identified the origin of the problem we can
> search for ways to dynamically insert HTML without using
> any Active Scripting at all. It will then become possible
> to use this bug in more "protected" environments, such as
> Microsoft Outlook or Internet Explorer with Active
> Scripting and ActiveX disabled.
>
> One of the exciting features that came along in IE4 was
> Data Binding; it enables developers to completely separate
> any application data from the presentation layer. The data
> sources (DSO) for Data Binding can be almost anything, CSV
> files (with TDC), HTML, XML and many more. Data Binding
> binds HTML elements (data consumers) such as div or span
> to the DSO without need for a single line of script code.
>
> We found out that when the "dataFormatAs" attribute is set
> to "HTML" on the consumer, Data Binding internally uses
> innerHTML in order to insert the data into the element
> (otherwise innerText is used).
>
> So all we need to do now is supply a DSO that contains the
> offending <object> element, the rest will be done for us
> by the Data Binding engine, no scripting needed.
>
> Exploit:
> In the following example we're using an XML data-island as
> our DSO and a span element as the data consumer. Using XML
> is especially comfortable because it can be embedded
> within the document, without need for external requests
> that may be stopped by the host application.
>
> <span datasrc="#oExec" datafld="exploit"
> dataformatas="html"></span>
> <xml id="oExec">
>     <security>
>         <exploit>
>             <![CDATA[
>             <object id="oFile" classid="clsid:11111111-
> 1111-1111-1111-111111111111"
> codebase="c:/winnt/system32/calc.exe"></object>
>             ]]>
>         </exploit>
>     </security>
> </xml>
> Solution:
> There is no configuration-tweaking workaround for this
> bug, it will work as long as the browser parses HTML. The
> only possible solution must come in the form of a patch
> from Microsoft.
>
> Update - 3 Mar 2002
>
> Since the injected <object> runs in the "My Computer" Zone
> changing the Internet Zone's settings couldn't affect it,
> but changing the affected zone's settings will prevent
> this exploit from running.
>
> Here is the registry information:
>
> [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \
> CurrentVersion \ Internet Settings \ Zones \ 0]
> Change the value of "1004" (DWORD) to 3.
>
> Many thanks to Axel Pettinger and Garland Hopkins for this
> workaround.
>
> Tested on:
> IE5.5 Win98.
> IE5.5 NT4.
> IE6 Win2000.
> IE6 WinXP.
>
>
> Demonstration:
> We put together two proof-of-concept demonstrations:
>
> Important Note: If you run anti-virus software, it may
> complain when you try to run these. This does NOT mean
> that you have a virus now, or that you're affected or
> unaffected by this vulnerability.
>
> Simple: attempts to run "c:/winnt/system32/calc.exe".
> Advanced: lets the user pick what they want to run.
> Disclaimer:
> The information in this security advisory and any of its
> demonstrations is provided "as is" without warranty of any
> kind.
>
> Vulnerability details are provided strictly for
> educational and defensive purposes.
>
> However, my Registry value at
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
> \Internet Settings\Zones\0
>
> reads Name(ab) Type(REG_SZ) Date(appears blank)
> Is my machine vulnerable and if so what should I do?
> Many thanks
>
>

Relevant Pages

  • DOS Exploit Executing programs
    ... DSO Exploit - Executing programs without Scripting ... Microsoft Internet Explorer and reported it to the public. ... discovered by Dildog) in the HTML element to run ... Data Binding; it enables developers to completely separate ...
    (microsoft.public.windowsxp.hardware)
  • Re: DOS Exploit Executing programs
    ... > be forwarded to Spybot or Microsoft. ... > Microsoft Internet Explorer and reported it to the public. ... > Scripting or ActiveX. ... > dynamically inserted HTML fragments at any point in the ...
    (microsoft.public.windowsxp.hardware)
  • [NT] Executing Arbitrary Commands without Active Scripting or ActiveX
    ... HTML element to run arbitrary commands. ... * IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled. ... One of the exciting features that came along in IE4 was Data Binding; ...
    (Securiteam)
  • RE: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE)
    ... Executing arbitrary commands without Active Scripting or ActiveX. ... HTML element to run arbitrary commands. ... One of the exciting features that came along in IE4 was Data Binding; ...
    (Bugtraq)
  • Re: Wave 3 makes the Hotmail UI as convenient as punch cards
    ... I probably should have labeled this as an open letter to Microsoft. ... That an input *field* in the user interface in the e-mail client lets ... this *newsgroup* don't know. ... Um, what HTML? ...
    (microsoft.public.internet.mail)