Monday, October 25, 2004

IE 6.0 + XP SP2 Vulnerability

This has been published by The SANS Institute.

A new Critical Vulnerability has been detected over IE 6.0 + XP SP2. One of Microsoft's patches from last week already has been worked around by hackers, at least on some platforms.


HIGH: Internet Explorer Drag and Drop Vulnerability


Internet Explorer 6.0 on fully patched XP SP2


Description: A variation of the "drag and drop" vulnerability has been reported that may be exploited to compromise a Windows client via a malicious web page or an HTML email. The exploitation proceeds as follows:

(a) A specially crafted HTML "style" sheet is used to access a local folder on a Windows client.

(b) An IMG element with its "src" set to a filename (without any extension) is dragged and dropped to the local folder opened in step (a). IE's cumulative patch MS04-038 released last week prevents an IMG element with its src set to an executable file from being dragged.

However, the patch does not prevent the "drag and drop" of an image with the src attribute set to other file formats such as pdf, xml etc.

Further, if no extension is used for the IMG element's src file, IE automatically creates a file with the file type extension after the drag and drop operation. Thus, an attacker can create a malicious file with a ".htm" extension on the client's local file system.

(c) The malicious HTML file is invoked via the HTML Help ActiveX control (hhctrl.ocx). This leads to execution of arbitrary code on the client system.

A proof-of-concept exploit has been publicly posted. The PoC exploit demonstrates how to use "ADODB.recordset" object to write arbitrary files on the client's local system. Although this exploit requires user interaction, it may be possible to rewrite the exploit such that no user interaction is required. Note that the Akak Trojan exploited the earlier variation of this vulnerability in the wild.


Status: Microsoft has not confirmed. An unofficial fix has been posted that sets the kill bit for the "Shell.Explorer" ActiveX control. This control is responsible for displaying the folders in IE. Setting the kill bit prevents displaying any folders, and prevents exploitation via the published attack vector. The fix can be downloaded from:



Posting by http-equiv

Posting by Thor Larholm

SecurityFocus BID  

No comments: