heise on-line · c't · ix · Technology Review · Telepolis · mobilely · Security · Job
heise Security
News
7-Tage-Alerts
7-Tage-News
News archives
 
Background
BSI info.
Know-how
Comment
Practice
Products
Background archives
 
Forums
Desktopsicherheit
Firewall, VPN & IDS
heise Security
Penetration test
Politics and society
Weak points
Server security
Coding
Viruses & worms
 
Services
Anti-virus
Browsercheck
IT's secure
Krypto campaign
Tools

ix conference 2003:J2EE, Net, Web services - Hype and RealitŠt

Tutorial and transparent Firewalls!ix 11/03 now in the trade!

C't Browsercheck
Sponsored by

Demo: Downloading and implementing arbitrary files (ADODB)


Demo implement

Also this demo makes possible it to load and implement a file directly from the InterNet. It is sufficient mouse-clicks more only one more hastily on a left, so that a file is downloaded on your computer and implemented there. It can concern just as well a virus, a Passwortschnueffler or a direct harming program, which delete all attainable files. Us several Sites are well-known, on which this IE problem is used actively at present.

The Browsercheck demo is based on a whole set of individual weak points, which can be combined. The central problem is the ActiveX object ADODB.Stream, which can be remote controlled via Javascript, in order to write data on the non removable disk. Thus new files can be put on or overwritten existing. This is possible however only in the security zone "local computer" (MYCOMPUTER).

Their rights can be attained however, by loading a local error page and transferring into these the desired JavScript code. The original Exploit overwrites this way the Windows Media Player wmplayer.exe by another file geladende from the net. By the call Multimedia URL ("mms://") this file is then started.

Our demo puts on C:\cttest.exe instead of its a file and starts these over a further safety problem of the InterNet Explorer, which makes an implementing possible of arbitrary, local files. It is based once more on the possibility in the local zone over the code cousin option Object tags of programs to load. The file wmplayer.exe is not changed thereby . (thank you at Johannes Riecke, which made us available this code).

Demo:
The following demo loads a program without further demand from our server, installs it than c:\browsercehck.exe and implements it. Then the program shows a red deposited message "you is vulnerably" on. If the program is not installed and is not implemented, the demo did not function.

This safety gap does not only require administrator rights, but write rights in C: \. One could select for it also any, other listing, like C:\windows\temp. In addition the demo is based on a set of safety gaps, which represent everyone for itself a risk. If the demo does not function, that does not mean automatically that you are against all these risks imun.

Demo implement

Remedy:
This demonstration was already published at the beginning of of Septembers. So far however no Patch exists against the safety holes used therein. In addition, switching off Active Scripting prevents the execution of the Exploits, ensures but that many web pages do not function any longer.


More over
Java
JavaScript/JScript
Visual basic Script
ActiveX
Cookies
 
Attitudes adapt
starting from Netscape 4.7x
Netscape 6.x (Mozilla)
Netscape 7.x (Mozilla)
InterNet Explorer 5.x
InterNet Explorer 6.x
Opera 5.x [ de ]
Opera 7.x [ de ]
 
Safety gaps
InterNet Explorer
Netscape/Mozilla
Opera

Copyright © 2003 Heise magazines publishing house
Data security reference    imprint    contact    search    FAQ