Broadband Tech > Security > Security > Executing arbitrary commands without Active Script

Executing arbitrary commands without Active Script

IE again? Am I surprised?

reply to Zhen-Xjell

Re: Executing arbitrary commands without Active Script

reply to Zhen-Xjell
Interesting as always. The tests only work on NT/2K/XP, so I cannot test this old Win98 box...

R2, you can test for 98 box by specifying the application yourself.
And yes the app will run on 98 boxes...
--
Nunc est bibendum...

You are completely correct. Notepad opened with C:/Windows/Notepad.exe in the Run line.

Here is the *exact* packet that I received to run this:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 28 Feb 2002 18:55:29 GMT
Content-Length: 583
Content-Type: text/html
Cache-control: private

<html>
….<head>
…….<title>Running "C:\Windows\notepad.exe"
…….</title>
…….<link rel="stylesheet" href="../sec.css">
….</head>

….<body>
…….Running "C:\Windows\notepad.exe"
…….<span datasrc="#oExec" datafld="exploit" dataformatas="html">
…….</span>
…….<xml id="oExec">
……….<security>
………….<exploit>
…………….<![CDATA[
…………….<object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111"
………………codebase="C:\Windows\notepad.exe">
…………….</object>.....]]>
………….</exploit>
……….</security>
…….</xml>

…….<form method="post">
……….<input type="text" name="oProg">
……….<input type="submit" id="oCheck" value="Run">
…….</form>
….</body>
</html>
[text was edited by author 2002-02-28 14:10:41]

reply to Zhen-Xjell

said by contango:

---

Very disturbing.
I am not sure if it is important or interesting, but when I entered notepad.exe into the RUN box (instead of the full path C:/Windows/Notepad.exe), I got the above message.
[text was edited by author 2002-03-01 05:34:15]

---

With everything set to Disabled (i.e., all ActiveX), I get that same ActiveX warning box if -- and only if -- I enter the WRONG path in Run. If I enter the correct path, then Notepad, or Calculator, or whatever runs.

The packet I receive from the page is EXACTLY the same as I posted above. So the response is from my computer. My guess is that the [object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111"] line must trigger ActiveX to try to download a control -- IF the program listed cannot be located.

I am not sure I understand that completely.:(
_____________

Silly side note: I always wondered what the source of that ActiveX Message Box was and I found it: shdoclc.dll

[text was edited by author 2002-03-01 15:59:58]

reply to Zhen-Xjell
With Netscape 4.79 it didn't open notepad but with IE5.5SP2 notepad opened. Like R2 I have everything turned off except submit nonencrypted form data. I'm using Windows ME so I had to put in the path. Now that is a vulnerability.
[text was edited by author 2002-03-01 14:26:24]

reply to Zhen-Xjell
Strange,

All I get is the following:

Running "c:/winnt/system32/calc.exe"..

I check in task manager and nothing is running. when I try the advanced window I get a run box but again nothing happens.

I just realized the path is wrong. XP Home edition doesn't use the winnt directory.
The advanced one will work if you put the complete path in the directory. I also have unsigned ActiveX disabled and signed ActiveX for prompt and it still runs with the complete path in the run box. The question is can someone manipulate the code to type in the run box and click run?

[text was edited by author 2002-03-01 14:51:54]

reply to Zhen-Xjell
Interesting it won't open Netscape.exe and while it will open hdown.exe, a filedownloader, it won't open it with command parameters. I wonder why.

reply to Zhen-Xjell
This is very bad

[text was edited by author 2002-03-01 16:23:04]

said by BlitzenZeus:

---

This is very bad

---

reply to Zhen-Xjell
There is a registry tweak which may help with this...

Disable Access to File URLs in Internet Explorer (All Versions)
Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoFileUrl
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = Enable File URLs, 1 = Disable)

(The NoFileURL key will probably need to be added).

Of course, to those who are not confident or familiar with making Registry edits, you'd be advised to backup the Registry before adding/editing to it... and if in any doubt, don't make any Registry Changes.

The tweak should be able to prevent IE from opening any files and executables. It should limit IE to opening only URLs.

Of course, it still doesn't take away the fact this is still a problem with IE. Just thought I'd offer a suggestion for those who may be interested.

Edit: Ignore this tweak. Having tested the vulnerability, it still exists following editing this tweak into the registry. Sorry.

[text was edited by author 2002-03-01 17:24:23]

Sorry Murray, it doesn't work...

said by BlitzenZeus:

---

Sorry Murray, it doesn't work...

---

Do I sense Proxo converts?

reply to Zhen-Xjell
Here is the fix that I found on the GRC.com discussion group. First, you need to make the security settings for My Computer visible in Internet Explorer. Then you need to disable downloading unsigned ActiveX controls in the My Computer zone. To make the My Computer security zone visible. Set the value of the following registry key to "3":

HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\Flags

Then go to IE's security settings. You will see a new zone called My Computer. Disable downloading unsigned ActiveX controls. You might also want to disable scripting of unsafe ActiveX controls while you are at it.

If you have already run the test, you should delete the ActiveX control that was silently downloaded into your Downloaded Program Files subdirectory of your windows directory. The control to delete is the one with all the 1's in its name.

That fixes it!

--Mathew Chacko

reply to Zhen-Xjell
Zhen, any ideas how Proxo stops the .exe files from executing?
Murray's reg hack apparently didn't work, but the solution could still be somewhere in the registry?

Jason, here is a new project for you!
Wouldn't it be wonderful if Script Sentry could save our souls