[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : IE 5.x/Outlook allows executing arbitrary programs using .chm files and files and temp internet files folder

Title: IE 5.x/Outlook allows executing arbitrary programs using .chm files and files and temp internet files folder
Released by: Georgi Guninski
Date: 20th November 2000
Printable version: Click here 
Georgi Guninski security advisory #28, 2000



IE 5.x/Outlook allows executing arbitrary programs using .chm files and

temporary internet files folder



Systems affected:

IE 5.5/Outlook/Outlook Express - probably other versions, have not

tested



Risk: High

Date: 20 October 2000



Legal Notice:

This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute

it unmodified.

You may not modify it and distribute it or distribute parts of it

without the author's

written permission.



Disclaimer:

The opinions expressed in this advisory and program are my own and not

of any company.

The usual standard disclaimer applies, especially the fact that Georgi

Guninski

is not liable for any damages caused by direct or  indirect use of the

information

or functionality provided by this advisory or program.

Georgi Guninski, bears no responsibility for content or misuse of this

advisory or program or

any derivatives thereof.



Description:



There is a security vulnerability in IE 5.5/Outlook/Outlook Express

which allows

executing arbitratrary programs using .chm files and revealing the

location of

temporary internet files folder. This may lead to taking full control

over user's computer.



Details:

I reported a similar vulnerability regarding .chm files sometime ago and

Microsoft fixed it

by allowing .chm files to run programs only if the .chm was loaded from

the local file system.

But it is possible to find the temporary internet files folder - there

are several folders with

random names.

The following HTML code:

http://SOMEHOST.COM/chmtemp.html" TYPE="text/html"

WIDTH=200 HEIGHT=200>

where SOMEHOST.COM is a web server or alias that is different from the

web server from which

the HTML page is loaded may reveal one of the temporary internet files

folders thru document.URL.

Once a temporary internet files folder name is known it is possible to

cache a .chm in any

temporary internet files folder and then use window.showHelp() to

execute it.

There are other ways to execute programs once a temporary internet files

folder is known and

document is cached in it but showHelp() seems to be the simplest.

If the demonstration does not work wait a minute and reload the page or

increase the number of

"chm*.chm" files in  and showHelp() or increase the time to wait if

it is insufficient

to download the chm files.





The code is:



---------chmtempmain.html------------------------------------------
























The object below must be loaded from a server with name different from

the parent document -

it may be the same server but use the IP address or another alias.




If this does not work try increasing the number of "chm*.chm" in IMG and

showHelp.




http://guninski.com/chmtemp.html" TYPE="text/html"

WIDTH=200 HEIGHT=200>

---------------------------------------------------------------------



--------chtmtemp.html------------------------------------------------



---------------------------------------------------------------------







Workaround:

Disable Active Scripting





Demonstration is available at:

http://www.guninski.com/chmtempmain.html



Vendor status:

Microsoft was contacted on 15 November 2000.





Regards,

Georgi Guninski

http://www.guninski.com





(C) 1999-2000 All rights reserved.