Gator Plugin for Microsoft Internet Explorer Lets Remote Users Install Arbitrary Software on the User's Host
SecurityTracker Alert ID: 1003611|
SecurityTracker URL: http://securitytracker.com/id/1003611
(Links to External Site)
Date: Feb 20 2002
Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
Eye on Security reported a vulnerability in the Gator plugin for Internet Explorer. Remote users can install software on the user's host and gain access to the host.|
It is reported that a vulnerability exists in the plugin that installs the Gator software. A remote HTML page can apparently specify the location of the Gator installation file. After the installation file is downloaded, the file is executed.
A remote user could create an HTML page which to make use of the Gator ActiveX installation component to point at a trojan file and cause that file to be installed on the user's host.
A demonstration exploit is provided in the Source Message. The exploit installs 'tini.exe', a trojan that listens for connections on port 7777. Information about this trojan is available at:
The demonstration exploit example is available at
A remote user can create an HTML page that, when loaded by another target user, will cause arbitrary code to be installed on the target user's computer.|
No vendor solution was available at the time of this entry.|
The author of the report recommends deleting the ActiveX component from %windir%\Downloaded Program Files.
Vendor URL: www.gator.com/ (Links to External Site)
Access control error|
|Underlying OS: Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Gator installer Plugin allows any software to be installed|
Advisory Title: Gator installer Plugin allows any software to be
Release Date: 21/01/2002
Application: Gator installer plugin for Internet Explorer (GAIN)
Platform: Windows clients with Internet Explorer.
DLL version - 220.127.116.11
Severity: Malicious users can install backdoor software and gain easy
access to the target machine.
[ firstname.lastname@example.org ]
Fills in FORMS without typing!
Remembers PASSWORDS automatically
Protects and encrypts your data on YOUR computer
Gator comes bundled .. etc
The vulnerabity exists in a plugin which installs the actual software.
This plugin is scriptable and an HTML page to specify the location of
the Gator installation. This activeX component is usually installed from
The issue here is that any HTML page can specify the location of the
Gator installation file. The installation file is downloaded, then it is
checked for the filename. If the filename is setup.ex_, it is then
decompressed and executed. If the file is not compressed it will still
execute it. Of course using this method, a malicious user can easily
create an HTML page which makes use of the rogue ActiveX component to
point at a trojan file.
I set up a small demonstation which installs tini.exe (which is a trojan
listening on port 7777).
If you need any information about tini.exe check out
The exploit example is found at :
Simply delete the ActiveX component from %windir%\Downloaded Program
Files .. i think that should fix it.
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
Please send suggestions, updates, and comments to:
Eye on Security
mail : email@example.com
web : http://www.eyeonsecurity.net