Coffeehouse Thread

14 posts

So now we wait for Shell.Application?

Back to Forum: Coffeehouse
  • User profile image
    manickernel

    for a demo follow this link

    After reading Nektar's post below, figured I should at least add a disclaimer saying to "run at your own risk", although at most it will just open cmd.exe /pause... at least right now.

    Since the proof of concept code calls "cmd.exe" thru shell.application it will only give the prompt on win2k or XPsp1 with Internet Explorer. ME & 98 don't use cmd.exe. In this case it just stops at step 3 which is the browser injection.

    (Please don't shoot the messenger!)

    For information go here

    Clarification: If your system is vulnerable the demo will open a command prompt. After reading Larry's post below I doublechecked my system (XP Pro w/IE6 sp1) and was only missing two security updates, one being 840374 from May 11.(The other DirectX) Installed this and now just get "error on page"

    Fully patched now and still get cmd.exe opening

  • User profile image
    infrared

    About the same time Jelmer found the adodb bug, http-equiv
    found a similiar issue with the object "Shell.Application".

    This issue has also been unfixed for the past ten months.

    Unfortunately, Microsoft has not taken the "hint" and not
    fixed this issue either.



    Is this true?? I thought the ADODB/Download.ject thing was from June 6 or something, not 10 months.

    If they had 10 months to fix download.ject..oh boy...


  • User profile image
    Larry​Osterman

    Windows ME, IE6, up-to-date, I get a popup window, then a big dialog telling me that someone is trying to run scripts on my computer and that the scripts might corrupt my system.

    On XP SP2, the popup blocker didn't let the popup run.

    If someone decides to ignore the "You might corrupt your system if you click yes"....

  • User profile image
    Larry​Osterman

    Oh, and as stepto has mentioned before, ADODB.Stream doesn't have bugs in it.  It's a vector however that can be exploited by bugs in other layers.

    It's called defense-in-depth.  Instead of just finding all the callers of ADODB.Stream and fixing them, you just kill ADODB.Stream and cut off all the vectors that can attack it.

  • User profile image
    infrared

    Larry, what security level is your Internet Zone on?  Mine is medium, IE6, Win98, and I get the little box, then it redirects to shell:WINDOWS\Web\TIP.HTM (in the address bar).

    If it's on some other level, what specific setting do I turn on (under custom settings) to get the warning dialog you have under WinME?

    [And uh hopefully that really *was* just a proof of concept, because the secunia page doesn't really say what that page does.  If not, my box is screwed..]

  • User profile image
    manickernel

    I looked at this further, and 840374 does not disable it. I had run the Eeye registry modification prior to the demo being disabled, and then run the "-unfix" afterwards to retest, but found that it was not removing the ActiveX compatibility registry entry it had made previously:


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{13709620-C279-11CE-A49E-444553540000}]
    "Compatibility Flags"=dword:00000400


    Apparently the "unfix" registry entry had word wrap on.


    I am interested if others are getting the C:\ prompt.


    Patching this would be difficult, as we do use wsh scripts in our environment.

  • User profile image
    nektar

    I tried the page and it opened up cmd.exe. I got no warnings, no errors, no nothing. I am fully up to date with patches and I am using default security zone settings, something that all typical users would also do. I looked at the page source and from what I gather the script that runs cmd, although a bit hidden on the page, can if extended do much more than opening a cmd shell. Anyone can simply add, instead of only a pause command, things like del commands erasing files on your computer, open up backdoors, etc. In fact, I guess that they can use the full power of the commandline or run any kind of installed program on your computer.
    That is, if that page has not done that already, without our knowledge!

  • User profile image
    juliankay

    I'm running Service Pack 2 on Windows XP and it doesn't do anything. Just get an error icon in the corner.

    I don't really feel like trying it on my other machines though! Wink

  • User profile image
    prog_dotnet

    ---

  • User profile image
    manickernel

    Oh this is cool, try this little demo out from secunia:

    http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/


    and they aren't just picking on IE anymore.
    (Firefox was immune though)

    Maybe Microsoft should just distribute XPsp2 to everyone running 2000 and above AS a patch.

  • User profile image
    Karim

    manickernel wrote:

    Oh this is cool, try this little demo out from secunia:

    http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/


    and they aren't just picking on IE anymore.
    (Firefox was immune though)

    Maybe Microsoft should just distribute XPsp2 to everyone running 2000 and above AS a patch.

    LOL!  Can you imagine the calls to PSS... "Hi, I just installed the latest 600 MB 'patch' for IE and... now my Start Menu looks all funny... and I can't find anything in Control Panel any more... and when I go to search for files, my computer locks up for five minutes and then displays this cute little dog...."

    Yeah, pretty sweet now that they've got this vulnerability working on Netscape now, huh?  All someone needs to do now is come out with an Apache version of Download.Ject and we can pretty much all just shut down the Internet and go home.  ("Well, that was fun while that lasted....")

    Mozilla was also immune... Netscape 7.1 though, was just as bad as IE.  (And it wouldn't render the Microsoft logo either.  Go figure!)

  • User profile image
    Shining Arcanine

    manickernel wrote:
    Since the proof of concept code calls "cmd.exe" thru shell.application it will only give the prompt on win2k or XPsp1 with Internet Explorer. ME & 98 don't use cmd.exe. In this case it just stops at step 3 which is the browser injection.




    manickernel wrote:
    (Please don't shoot the messenger!)


    But I like shooting the messenger:

    http://www.grc.com/stm/shootthemessenger.htm

    Tongue Out

    manickernel wrote:
    Fully patched now and still get cmd.exe opening


    Strangely, my system seems to be immune. I guess the Google Toolbar is preventing the exploit from working.

  • User profile image
    manickernel

    SA, I actually went out and downloaded the google toolbar, uninstalled the MSN toolbar (am I loyal or what?) and tried it. Nopey.

     Now drop your internet zone to "medium" (the default) 'cause I am thinking you have it on "high" and try it.


    Kinda like this google thing though, think I'll stick with it...

  • User profile image
    Shining Arcanine

    manickernel wrote:

    SA, I actually went out and downloaded the google toolbar, uninstalled the MSN toolbar (am I loyal or what?) and tried it. Nopey.

     Now drop your internet zone to "medium" (the default) 'cause I am thinking you have it on "high" and try it.


    Kinda like this google thing though, think I'll stick with it...



    I don't have it on either. I have it set to custom settings for extra security while maintaining usability.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.