Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV

Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV

From: Erik van Straten <emvs.fd.3FB4D11C_at_cpo.tn.tudelft.nl>
Date: Fri, 2 Jan 2004 16:02:34 +0100

On Thu, 1 Jan 2004 22:41:35 -0000 "http-equiv_at_excite.com" wrote:
[snip]
> Fully self-contained harmless *.exe:
>
> http://www.malware.com/exe-cute-html.zip
[snip]

This doesn't look like self-executing HTML - anyway.

[Disabling Mshta.exe]

Microsoft is _WRONG_ to have HTA interpreted by default, and not even
provide an option to disable it. All HTA's I've seen (quite some) were
malware.

To prevent this particular exploit from running, you may want to delete
or rename mshta.exe --At Your Own Risk--. I've done this on all boxes I
manage on 20030909 and haven't ran into problems. I've not restored
this after applying MS03-040, since lusers will click OK because they
don't know what an HTA is. Note: MS03-040 won't block this exploit, and
other browsers may invoke mshta.exe.

If mshta.exe is also in the DLLCache subdir, you may have to boot safe
mode with command prompt, and rename/delete it in both DLLCache and
System32.

Warning: do not boot Safe Mode With Networking, because then XP-ICF
(Internet Connection Firewall) does not run (thanks MS).

[Other Attack Vectors]

Unfortunately more attack vectors are possible. Please refrain from
publishing them, the point was made (you'll be helping "the patch"
morons et al, which backfires if they joe-job you or your site).

As a test I've just killbitted Shell.Application:

---------- cut here ----------
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{13709620-C279-11CE-A49E-444553540000}]
"Compatibility Flags"=dword:00000400
"Comments"="Shell.Application kill-bit/killbit 20040102"
"Reason#1"="http://seclists.org/lists/fulldisclosure/2004/Jan/0002.html"
"Reason#2"="Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV"
-------- end cut here --------

Watch out for line wraps; there should be 7 lines. The last 3 lines
are optional but help me locate why/what/when.

It prevents the exploit, however I don't know what this breaks; if
anyone knows, please respond to the list (no metoo's and "use another
browser" BS, please). Also: start a new thread+subject if you wish
to comment on the ICF issue, portscans, or blah.

Happy 04.
Erik

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Jan 02 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos