| reply to antiserious
Re: HTA Download, a new type of danger! said by antiserious:
... yeah, interesting all right ... because I usually right-click links to open a new tab/window, I decided to try your link again, both ways - and waddaya know, today they both open a d/l dialog box, then the ZA permission, then your ports box, then a netstat dos window that shows NOTHING RUNNING, then a neutered report test box from your site ...
... go figure ... I didn't make any changes to SS settings, or IE - but I did update and run XEN last night to clean up/tweak my box ... wonder if those changes had anything to do with it ... anyway, I also would like to know what your little tool does before I run it ...
... hey wait, no offense with the 'little tool' crack -  - I meant the toggle ... oh, nevermind ...  ...
No offense taken.
All that HTA file does is run Netstat, parse the results, and send them to a webpage to get displayed. (I don't store any of the information that is sent there.)
Try running the script I posted and then click on the HTA link again. Let me know what happens.
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ |
|
 antiseriousThe Future ain't what it used to bePremium
join:2001-12-12
Scranton, PA | ... When running the toggle, I get this from SS (first gif), then a pop-up saying that HTA has been disabled ... saved the toggle in tools, in case I ever need it un-toggled - is that likely ? ... I'm assuming from this thread we'd prefer this disabled pretty much all the time ...
... THEN when I click the original link, I get the second gif, and if I run it I get the dos netstat window - but now I don't see any ZA warnings (my ZA is set for EVERYTHING to ask permission, ALL the time) ... dunno which way I prefer, dunno if it matters long as I'm protected ... hope this info helps ...
... and thanks for the toggle and the info ... you do real good work, Jason ...
... ps - is that some kinda record for sayin' TOGGLE in one post ? ...  ...
--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ... |
|
|
|
| You probably won't need to "un-toggle" it, but I added that in to make it easy to undo the registry changes that the script makes. |
|
| Heres what I got |
|
 R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | reply to Jason Levine
Hmmm... on this old WinNT box, I cannot get the OpenPorts program to run at all. I get the "Step 1: Run Netstat" and it just sits there for hours. This computer does have Netstat on it. |
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
| reply to TonyKlein
I am really confused about this vulnerability, so perhaps someone can enlighten me. Here are my issues:
1) Are people concerned about an HTA file that must be downloaded and then run locally? If that is the case, then it appears (on this computer) that I am hit with the Download Dialog box each and every time I try to download an HTA file. (A sample link to download an HTA file can be found here Jason's Toolbox -- right after the part that says Download OpenPorts.)
2) If that is the case, then I must first elect to DOWNLOAD the HTA file and THEN double-click on it to run it. Or, is there some sneaky method where clicking "Save this file to disk" will also automatically RUN the downloaded file??
3) Despite what some users have said, disabling Active Scripting does not prevent the HTA file on Jason's site from either being downloaded or RUN directly. I don't see where Active Scripting plays a role here at all -- other than the fact that MSHTA.exe came from the Script Host originally. What am I missing?
4) HTA-Stop seems to ONLY be effective at preventing LOCALLY run HTA files -- it has NO power to prevent the running of HTA files that are embedded as links into web pages. So, HTA-Stop only works if you select to first download the file and THEN double-click on it to run the file. If you select to "Open the file from its current location", then HTA-Stop is useless. (Try it on Jason's page and you will see.)
5) HTA-Stop does NOT prevent the running of HTA files that are linked to on web pages. Neither does Script Sentry -- for that matter -- but, Jason is working on that (as above).
6) I really do not understand this part at all:
"This "winmain" program is starting up MSHTA, ready to ACCEPT HTA scripting within a web page and then EXECUTE what is embedded in ANY web page containing VBScript in the form of HTA coded page as a PROGRAM. "
What does "starting up MSHTA" have to do with anything? Since when does Windows require programs to be running to accept a page? You double-click a file or you select to "Open the file" and Windows starts the program immediately -- it does not have to be running.
Furthermore, if I accept the above at face value, then the HTA-Stop program is CLEARLY useless in the instance. HTA-Stop only breaks the file extension to File Type association in the registry. IF I am to believe the a running MSHTA.exe is able to EXECUTE embedded Script in the form of HTA -- then HTA-Stop will have absolutely NO POWER to stop this. How can they believe it would????
Very strange...
___________________________________
Perhaps I am just not understanding -- or perhaps I just have not found a good example. It sounds to me as if people are referring to some "HTA script" that is truly embedded into a web page -- not just a "link" to an HTA file but a situation the actual code is embedded in the page -- like JavaScript is. Something like: <SCRIPT Language = HTA>
--or perhaps--
<SCRIPT Language = VBScript>
HTA scripted code Is that what they mean?? Is there a page on the web where I can see this??
Thanks.
[text was edited by author 2003-08-01 21:41:12] |
|
| .. said by TonyKlein:
This "winmain" program is starting up MSHTA, ready to ACCEPT HTA scripting within a web page and then EXECUTE what is embedded in ANY web page containing VBScript in the form of HTA coded page as a PROGRAM.
R2  , i think if vbs can be stopped from running in the browser, then hta is no threat. i opened openports.hta with a notepad and it is just a html with embedded vbs. |
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
| Not for me... I beg to differ. At least in the case of a link to an HTA file.
The point that they are making -- eh, I think -- is that the HTA file is downloaded and run in the "My Computer" securtiy zone -- NOT in the Internet zone. So, yes, you might be able to block scripting -- but only if you do so in the My Computer zone. I don't recommend doing that...
With Jason's link to an HTA file I am protected in two ways:
1) The Download Dialog box appears every time -- so I have to CHOOSE to run the HTA file.
2) This specific HTA file triggers a Zone Alarm warning -- because Jason wrote it to connect back to his site to display the results in a user-friendly fashion.
Clearly, HTA-Stop does absolutely nothing to prevent Jason's HTA file from running. So, if they are advertising HTA-Stop as a prevention against IE running HTA files -- and that MAY be a big IF -- I must firmly disagree and claim that they are 'false-advertising' their product...
Is it possible to EMBED HTA in an HTML document?? Well, if an HTA file is simply VBS embedded into HTML I don't see how it is possible...
I need to learn more about HTA.
[text was edited by author 2003-08-02 11:37:27] |
|
antiseriousThe Future ain't what it used to bePremium
join:2001-12-12
Scranton, PA |
... I don't have HTA-Stop, but I do get a download permission box, and IF I allow it I get a ScriptSentry warning, so I feel 'covered' - but I no longer get a ZA warning, and I'm not sure why, unless it would come AFTER I let SS run the script ...
... nope, tried again, no ZA warning ... hmmm ... well, at least it needs 2 permissions to run ... still, I wonder about ZA ...
--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ...
|
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | Ah... that is very interesting -- and I don't understand why.
If you select to Open the file and run it from Jason's page, then the ZA alarm pops up (Script Sentry will NOT come up unless you have made Jason's modification to the LocalServer32 key as above).
However, if you download the file and run it from your Desktop, NO ZA alarm appears!! That seems very counter-intuitive.
Where are the ZA experts at? I don't necessarily like that...:( |
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | reply to TonyKlein
Re: HTA Download, a new type of danger! OK, I just verified some things on my Win98 box.
1) Renaming MSHTA.exe will prevent ANY attack. Internet Explorer cannot run HTA files by itself.
2) Disabling Active Scripting in the "My Computer" zone is NOT effective.:( I do not understand why, but somehow the HTA file -- either run locally or over the Internet -- completely bypasses the Security zones. Eh, not good.
3) The HTA file is NOT simply VBS embedded into HTML. Jason's file has this in the HEAD section:<title>Open Ports</title>
<HTA:APPLICATION ID="OpenPorts" APPLICATIONNAME="Open Ports" BORDER="dialog" BORDERSTYLE="raised" CONTEXTMENU="no" ICON="OpenPorts.ico" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="yes" SELECTION="no" SCROLL="yes" SHOWINTASKBAR="yes" SYSMENU="yes" VERSION="1.01"> This clearly indicates that the file is an HTA file to be run as an HTA application.
Now, can a Web page on the Internet stick something like that in it's Header and cause an HTA file to run automatically??
I believe THIS is the exact issue... |
|
antiseriousThe Future ain't what it used to bePremium
join:2001-12-12
Scranton, PA | reply to R2
Re: Not for me...
... okay, just to ADD to the puzzle ... I select 'open' instead of 'save' all the time (for this test), I've run Jason's toggle so apparently that's why I see the SS box, but I DO NOT see a ZA warning, and I have ZA set so EVERYTHING asks, ALL the time - nothing has 'allow' rights, anywhere ... if I okay in Jason's SS box, I go right to the 'open ports' box on his site ... but in the second post I made in this thread (way back when) the ZA warning DID pop up - and now it doesn't ... I have an entry in ZA for the M$ HTML app, it's blocked as a server and set to ask permission in trusted and internet - and yet it no longer does ... again, hmmmmmmm .....
... and if it matters, W98SE, IE6 SP1, ZA free 3.7.202 ...
--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ... |
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | reply to TonyKlein
Re: HTA Download, a new type of danger! It seems that HTA was specifically designed to avoid Security zones!! Check out this from Microsoft: said by MSKB:
HTML Applications (HTAs) are full-fledged applications. These applications are trusted and display only the menus, icons, toolbars, and title information that the Web developer creates. In short, HTAs pack all the power of Microsoft® Internet Explorer—its object model, performance, rendering power, protocol support, and channel–download technology — without enforcing the strict security model and user interface of the browser.
Trustworthy Computing at its best... |
|
| reply to TonyKlein
Hmm, I'm not sure of the timing on this, but there is a new version of HTAstop available from the primary download location (the download link from simtel as noted in the PSC article). While the text at the site says version 1.0 from April 2001, the file I downloaded from there today says it's version 4.0.1.0 and it does a lot more than the original version.
It still breaks the file association for .hta files in the CLASSES_ROOT in the registry, but, it also breaks the CLSID association, renames the mshta.exe file and replaces it with a copy of notepad.exe, as well. They must have released a new and more effective version.
I'm guessing that this makes it completely effective now based upon what is noted above.
--
Use the most powerful combo Firewall/AV/AT package available - "Common Sense" - It can be upgraded daily! |
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | Thanks. I could not find the new version this AM -- but it certain sounds a lot more effective -- and likely because of the data above. How exactly does it break the CLSID association -- because that seems very fickle. You have to break it in certain ways to work -- something I was surprised to find out.
I also found out a lot more about HTA files from the MSDN [url=http://msdn.microsoft.com/library/default.asp?url=/workshop/author/hta/overview/htaoverview.asp]here[url]. I found these quotes interesting: The Power of Trust: HTAs and Security
As fully trusted applications, HTAs carry out actions that Internet Explorer would never permit in a Web page. The result is an application that runs seamlessly, without interruption.
In HTAs, the restrictions against allowing script to manipulate the client machine are lifted. For example, all command codes are supported without scripting limitations (see command id). And HTAs have read/write access to the files and system registry on the client machine.
The trusted status of HTAs also extends to all operations subject to security zone options. In short, zone security is off. Consequently, HTAs run embedded Microsoft ActiveX® controls and Java applets irrespective of the zone security setting on the client machine. No warning displays before such objects are downloaded and run within an HTA.
HTA windows can extend the trust relationship to content in other domains. HTAs allow cross-domain script access between window objects and cookies. I find the title quite revealing -- the Power of Trust. Yes, that certainly is some power!
In essence, HTA's how the power of an executable file -- yet LOOk and ACT like Internet Explorer. And that can be dangerous...
Download and use HTA files JUST as if they are .exe files.
__________
These quotes:
"This "winmain" program is starting up MSHTA, ready to ACCEPT HTA scripting within a web page and then EXECUTE what is embedded in ANY web page..."
... seem illogical.
I find NO risk whatsoever about "embedded HTA files running automatically upon visiting a web site". That seems to be hype. Additionally, the reports of "winmain.exe" running MSHTA.exe make no sense whatsoever and also fall into the bogus "hype" category -- or it demonstrates a complete misunderstanding of how the Explorer shell works.
Furthermore, statements like, "...it will STILL run what is presented to it when started on a local machine in the "local machine" or "my computer zone"" -- clearly show that the author did not do his homework. HTA files are run OUTSIDE of any zone -- not Local Machine or My Computer -- they are not controlled by ANY security zone. |
|
| reply to R2
.. said by R2:
Now, can a Web page on the Internet stick something like that in it's Header and cause an HTA file to run automatically??
No, you need to click on a link to a malicious file, save the file on your machine and then choose to deliberately execute that malicious file in order to become infected by it.
»www.nsclean.com/psc-exe2.html
»securityresponse.symantec.com/av···orm.html
but hta file can be created from script and place in the start-up folder in unpatched IE:
Trojan.JS.Seeker
The script uses an MS Internet Explorer 5.0 Typelib security vulnerability to create an HTA file in the Windows start-up directory. This file automatically runs upon the next Windows start-up, at which point the script gains control.
The script in the HTA file modifies the system registy keys where the home and search page addresses are specified (before modifying the keys, the script stores their values into BACKUP1.REG and BACKUP2.REG files in the Windows directory). After this, the script deletes the HTA file (and itself).
»www.viruslist.com/eng/viruslist.html?id=4107
»www.virusbtn.com/resources/virus···eboy.xml
SOLUTION
To remove the association between .hta and HTML applications, you
can do the following:
1. Open up Windows Explorer (i.e. double click on "My Computer")
2. Go to View -> Folder options, go to the 'File Types' tab
3. In the 'registered file types' selection box, pick 'HTML Application'
4. Click remove.
There is also a command line tool in the resource kit called
associate. It might help people who want to do this to a lot of
machines.
Disable File Downloads or disassociate .HTA files from MSHTA.exe.
Disabling scripting does not stop this, it is dee to the fact that
the HTA is already on the local system at the time of execution,
thus making it trusted. The reason for this can be found in the
MSDN. It specifically states that HTA's, once run from the local
hard drive or executed from the Internet are considered completely
trusted applications and not under an security restrictions that
IE4>= is under. In fact, an HTA could download an arbitrary Java
application and run it. HTA's can be very dangerous if users
aren't taught to not run an HTA from the web or to let it be
downloaded to a local hard drive.
»p.ulh.as/xploitsdb/NT/ie47.html |
|
| reply to R2
Re: HTA Download, a new type of danger! said by R2:
How exactly does it break the CLSID association -- because that seems very fickle. You have to break it in certain ways to work -- something I was surprised to find out.
Well, not unlike Jason's toggle script, the new HTAstop removes the executable name from the LocalServer32 sub-key (i.e. just blanking it out, as opposed to setting it to a value of "DISABLED").
Of course, the most effective break point has to be renaming the exe file, and replacing it with a copy of notepad. That alone would prevent a system from running HTA scripts, right? But, doing all three certainly can't hurt.
--
Use the most powerful combo Firewall/AV/AT package available - "Common Sense" - It can be upgraded daily! |
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | Thank you. Yes, all three are likely overkill -- but who can argue!
_________________________________
I understand the role of downloaded .hta files the risks of running them.
Mmpx, I listed the exact quotes from the MSDN where they describe the fact that .hta files are run completely outside of any Security zone -- it's not the "My Computer" zone -- it is no zone at all. HTA files are 'completely trusted' to do whatever they want.
This may sound 'really bad' at first glance, but in essence this simply makes them as powerful as .exe files, .vbs files, .js files, .wsf files, .bat files, .scr files, etc. Because the truth is that all of these files are 'completely trusted' as well. The bottom line is... treat an .hta file the same way you would an .exe file: double-click at your own risk.
The user can protect themselves from inadvertent double-clicking by installing something like HTA-Stop -- or Jason's Script Sentry. Even when compared to the "new HTA-Stop", Script Sentry still comes out a much better and more elegant choice for the following reasons:
1) It protects you from FAR more file extensions
2) It tells the user in simple terms what the file will do
____________________
said by mmpx:
but hta file can be created from script and place in the start-up folder in unpatched IE
Presumedly this should not occur with a 'patched' version of IE. The use of the .hta file in this case could be substituted with a .vbs or .js, file just as easily -- and the attack would be equally dangerous. The problem with that vulnerability isn't the fact that the created file is an .hta file specifically, but instead that IE did not prevent ANY file type from being created in the Startup folder. Since .vbs or .js files are equally as 'trusted' as .hta files, the risks are the same.
Again, a user would be protected either way with Script Sentry -- just protecting yourself from HTA files is NOT enough!!
________________________________
Of some interest, one can rename an .hta file with an .htm extension. The file can be run by double-clicking it, and IE will open it and run the script inside. Try this with a downloaded copy of OpenPorts.hta.
HOWEVER, since IE is now the running program, zone security IS in effect: this time the script IS run in the My Computer zone (check the Status bar). The "special properties" conferred by HTA:APPLICATION tag are ignored.
THEREFORE, even if a rogue web site tried to disguise an HTA file as a web page, it would be run by IE and held to the same Security controls as IE.
The fear of web sites automatically loading and running HTA 'script' appears to be completely unfounded -- and you will note NO ONE has come in here to argue otherwise... |
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | reply to TonyKlein
Zone Alarm behavior still questionable... Oh, one of the things I still have a slight problem with here is the LACK of Zone Alarm notifying the user that an HTML Application (MSHTA.exe) is accessing the Internet. It happens if the file is run from the Internet, but not if the file is downloaded. Why not??? |
|
