Advisories
Internet Explorer Object Data Remote Execution Vulnerability
Release Date:
August 20, 2003
Date Reported:
April 8, 2003
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 for Windows Server 2003
Overview:
eEye Digital Security has discovered a security vulnerability in Microsoft's Internet Explorer that would allow executable code to run automatically upon rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object tag, which is used to embed basically all ActiveX into HTML pages. The parameter that specifies the remote location of data for objects is not checked to validate the nature of the file being loaded, and therefore trojan executables may be run from within a webpage as silently and as easily as Internet Explorer parses image files or any other "safe" HTML content.
This attack may be utilized wherever IE parses HTML, including websites, email, newsgroups, and within applications utilizing web-browsing functionality.
Note:
On Windows 2003 Internet Explorer, this vulnerability is noted as being "moderate" rather than "critical." This is because of Windows 2003's "Enhanced Security Configuration Mode", in which Microsoft sets the "Disable ActiveX" option in Internet Explorer's Security Properties by default. Windows 2003 Internet Explorer also disables by default: Visual Basic Script, Javascript, input forms, and the ability to download files.
Due to the popularity and prevalence of ActiveX on the Internet, users running Windows 2003 "Enhanced Security Configuration" Mode may have chosen to reactivate the ability to view active content. These users should be aware that they are at critical risk for this vulnerability and should apply the necessary patch.
As a final note, Microsoft attributes credit to eEye for this vulnerability, but incorrectly refers to it as the "Object Type" bug. The "Object Type" bug is in fact eEye's previously discovered object tag vulnerability. That issue involved a stack-based overflow in the "Type" property, and this current issue involves incorrect handling of the data specified by the "Data" tag.
Technical Details:
Technical Description:
This example is a more traditional attack. In house, we set up a demonstration system that silently loaded "bo2k" and "subseven" trojans from within a single webpage.
The above example is an entirely legitimate session. The only trick is that the "Data" URL must not end in an unsafe extension (e.g., ".exe", ".bat", etc). The "Content-Type" tag returned by the server is treated by Internet Explorer as authoritative. In other words, the client asks for a safe file, the server returns an unsafe file, and Internet Explorer does not know what hit it.
What Internet Explorer should be doing in this case is not loading the unsafe document at all, or it should prompt the user with a severe warning about this file, with the default option being to save the file to disk.
We can generally assume what is going on in this situation. As .hta or "HTML Application" files are not binary and resemble (mechanically) HTML files, IE's check of content will be unable to return that this file is anything but safe. The second check of MIME type will see that we are requesting a safe file type, and the third check of MIME type will be from the server saying this is a HTML application. For whatever reason, IE has ignored the returned MIME type from a security context, but paid attention to it from an execution context.
This attack was discovered through manual testing techniques. The hypothesis was: "Internet Explorer has many avenues where it might be presented with executable content. One of these avenues must be broken so that executable content might be automatically run".
Protection:
Retina Network Security Scanner has been updated to identify this latest Internet Explorer vulnerability.
Vendor Status:
Microsoft was notified and has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
Credit:
Drew Copley, Research Engineer, eEye Digital Security
Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html
Greetings:
Liu Die Yu, http-equiv, Stone Fisk, Dror Shalev, the Shrug, Oliver Lavery, Brett Moore, Chung's Donut Shop, Jolly.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
August 20, 2003
Date Reported:
April 8, 2003
Patch Development Time (In Days):
 |
|
|
|
| 134 |
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 for Windows Server 2003
Overview:
eEye Digital Security has discovered a security vulnerability in Microsoft's Internet Explorer that would allow executable code to run automatically upon rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object tag, which is used to embed basically all ActiveX into HTML pages. The parameter that specifies the remote location of data for objects is not checked to validate the nature of the file being loaded, and therefore trojan executables may be run from within a webpage as silently and as easily as Internet Explorer parses image files or any other "safe" HTML content.
This attack may be utilized wherever IE parses HTML, including websites, email, newsgroups, and within applications utilizing web-browsing functionality.
Note:
On Windows 2003 Internet Explorer, this vulnerability is noted as being "moderate" rather than "critical." This is because of Windows 2003's "Enhanced Security Configuration Mode", in which Microsoft sets the "Disable ActiveX" option in Internet Explorer's Security Properties by default. Windows 2003 Internet Explorer also disables by default: Visual Basic Script, Javascript, input forms, and the ability to download files.
Due to the popularity and prevalence of ActiveX on the Internet, users running Windows 2003 "Enhanced Security Configuration" Mode may have chosen to reactivate the ability to view active content. These users should be aware that they are at critical risk for this vulnerability and should apply the necessary patch.
As a final note, Microsoft attributes credit to eEye for this vulnerability, but incorrectly refers to it as the "Object Type" bug. The "Object Type" bug is in fact eEye's previously discovered object tag vulnerability. That issue involved a stack-based overflow in the "Type" property, and this current issue involves incorrect handling of the data specified by the "Data" tag.
Technical Details:
Technical Description:
This example is a more traditional attack. In house, we set up a demonstration system that silently loaded "bo2k" and "subseven" trojans from within a single webpage.
The above example is an entirely legitimate session. The only trick is that the "Data" URL must not end in an unsafe extension (e.g., ".exe", ".bat", etc). The "Content-Type" tag returned by the server is treated by Internet Explorer as authoritative. In other words, the client asks for a safe file, the server returns an unsafe file, and Internet Explorer does not know what hit it.
What Internet Explorer should be doing in this case is not loading the unsafe document at all, or it should prompt the user with a severe warning about this file, with the default option being to save the file to disk.
We can generally assume what is going on in this situation. As .hta or "HTML Application" files are not binary and resemble (mechanically) HTML files, IE's check of content will be unable to return that this file is anything but safe. The second check of MIME type will see that we are requesting a safe file type, and the third check of MIME type will be from the server saying this is a HTML application. For whatever reason, IE has ignored the returned MIME type from a security context, but paid attention to it from an execution context.
This attack was discovered through manual testing techniques. The hypothesis was: "Internet Explorer has many avenues where it might be presented with executable content. One of these avenues must be broken so that executable content might be automatically run".
Protection:
Retina Network Security Scanner has been updated to identify this latest Internet Explorer vulnerability.
Vendor Status:
Microsoft was notified and has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
Credit:
Drew Copley, Research Engineer, eEye Digital Security
Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html
Greetings:
Liu Die Yu, http-equiv, Stone Fisk, Dror Shalev, the Shrug, Oliver Lavery, Brett Moore, Chung's Donut Shop, Jolly.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
