Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [security] What A Click! [Internet Explorer]
From: Lance James <lancej () securescience net>
Date: Fri, 27 Jan 2006 11:22:11 -0800

yossarian wrote:

There is an easy trick to avoid a .HTA related 'thingie' such as this
one: tell your windows to open .HTA files in notepad.  It broke the
beautifull PoC I guess, had it in place as long as this particular
machine (2 years or so), it never broke anything before.

Is there a method of sandboxing the .HTA files? I mean, everything web,
should stay web?

Second hint for people protecting lusers: design a nice corporate
colors standard theme and disable the standard theme. Exit this kind
of attack (since there are more ways to cover windows with malicious



----- Original Message ----- From: "mikx" <mikx () mikx de>
To: <full-disclosure () lists grok org uk>
Cc: <bugtraq () securityfocus com>
Sent: Tuesday, January 24, 2006 8:06 PM
Subject: [security] What A Click! [Internet Explorer]

It's now almost 18 months ago that i posted my first security
advisory "What A Drag! -revisited-", seems to be a good time to post
"What A Click!".

Both bugs had about the same exploit potential, but i assume this one
will have far less impact and media response (which i consider a
great thing for various reasons). Thanks to everybody who researched,
worked, chatted, discussed and got drunk with me in the last months
to make this change happen - you know who you are.


Using custom Microsoft Agent characters it is possible to cover any
kind of windows, including security or download dialogs. This is an
expected feature of the Microsoft Agent control. To quote the product
homepage: "Animations are drawn on top of any underlying application
window, characters are not bounded within their own, separate window"
(http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom
characters can be created with tools downloadable from that homepage.

Because custom characters are fully scriptable, can have any kind of
shape and are downloaded automaticly, this can be used as a flexible
tool to cover and/or spoof any kind of window and lure the user to
execute arbitrary code by performing one or two clicks (depening on
security zone configuration and Windows version).



The PoC is designed for Internet Explorer 6 on Windows XP SP2 in
Windows classic theme. By clicking on the button in the upper left
corner you start the download of a hta file. The download dialog gets
covered by a Microsoft Agent character which fakes a button (basicly
a large white image with a button border in the middle). Move the
character by dragging to see how it uses a "transparent spot" to make
room for clicking on the underlying dialog through the button space.
Transparent areas in characters are really "not there", meaning you
can click through them.

When you click that button you execute arbitraty code in the hta
file, in this case you create the folder "c:\booom!". The button in
the upper left corner is only need to get around the "drive by
download" protection of Windows. When this protection is not in place
(e.g. on Windows 2000) this PoC could be reduced to a single click
interaction to execute arbitrary code.


The bug got fixed as part of the Microsoft Security Bulletin MS05-032
(yeah, last summer).

The patch adds an additional security dialog before loading a custom
agent character. Be aware that in trusted zones that dialog might not

2004-10-04 Vendor informed
2004-10-06 Vendor opened case, could not repro
2004-10-06 Vendor got new testcase
2004-10-12 Vendor confirmed bug
2005-06-14 Vendor relased patch and advisory
2006-01-22 Public disclosure

__Affected Software

Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003
with different severity. See Microsoft Security Bulletin MS05-032 for


Michael Krax <mikx () mikx de>


Get your free port scan here: http://www.seifried.org/freescan2/

security mailing list
security () lists seifried org

Best Regards,
Lance James
Secure Science Corporation
Author of 'Phishing Exposed'

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]