Thread-topic: [VulnWatch] PoC for Internet Explorer Modal Dialog Issue
> -----Original Message-----
> From: Matthew Murphy [mailto:mattmurphy@xxxxxxxxx]
> Sent: Thursday, April 27, 2006 4:38 PM
> To: undisclosed-recipients
> Subject: [VulnWatch] PoC for Internet Explorer Modal Dialog Issue
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> Dear Lists:
>
> Apparently I wasn't clear enough with this paragraph of my
> advisory, or
> a sizeable portion of the list readership elected to ignore it:
>
> "A malicious user could create content that would request the user to
> click an object or press a sequence of keys. By delivering a security
> prompt during this process, the site could subvert the prompting and
> obtain permission for actions that were not necessarily authorized."
>
> It seemed fairly clear to me, but apparently it sounded better to me
> than it did to some readers. :-(
>
> Basically, the scenario for the vulnerability is as follows:
>
> * Ask for user input that is predictable (mouse clicks, text
> string with
> the letter 'y', etc.)
>
> * Display a modal security prompt that will "eat" that input and treat
> it as a "Permit" answer to the security prompt.
>
> The result: compromise of security, potentially including
> arbitrary code
> execution.
>
> A particular scenario was identified that involved the exploitation of
> the modal ActiveX prompt delivered by some systems. The user is asked
> to type a certain string of characters (ala captcha). A
> prompt will be
> displayed (hopefully during the time the user is typing the string) to
> install the Microsoft Surround Video Control.
>
> If you're still typing the "captcha" when the prompt appears, you'll
> install the control. This works as advertised against all systems
> EXCEPT Windows XP SP2 and Windows Server 2003 SP1. If the
> software you
> install hoses your box, just remember that it's signed by
> Microsoft. In
> other words... don't look at me.
>
> Other prompts on XP SP2 and 2003 SP1 are exploitable for various gains
> as well. Virtually any prompt that wasn't commonly displayed on a web
> page prior to these updates is still handled via the (risky) modal
> dialog model. One example is the "Allow Paste Operations via Script"
> prompt that is displayed when a web page attempts to access the
> clipboard. Another example is "Initialize and Script ActiveX controls
> not marked as safe" prompt, which is somewhat mitigated by
> LMZ lockdown.
>
> All of those cases are exploitable in the same way as this one -- you
> simply have to change the "unsafe" action. Rather than having a page
> generate an ActiveX install, for instance, you could have it try to
> sniff the clipboard, initiate install-on-demand, or some other suspect
> action. The ability to cause the action to be approved silently is
> achieved the same way -- having a user unwittingly enter a 'Y' to the
> prompt.
>
> As you might notice, the exploit vector is virtually identical to that
> of MS05-054. I'm beginning to wonder if maybe it isn't the triviality
> of the remaining issues making them hard for people to
> envision. After
> all, Jesse Ruderman provides all of the theory and Secunia even
> demonstrates it for us with the file download dialog exploit
> code. The
> follow-up attack to such precise, detailed research is not a terribly
> creative one -- it merely involves piecing together what somebody else
> missed, ignored or didn't research to its full depth. This
> is a really
> easy class of attack to eliminate completely when compared to
> other more
> insidious attack vectors, and I expect that this process will
> eventually
> happen.
>
> Note that the standard disclaimer (that your use of this is
> at your own
> risk) still applies. Perhaps more so this time, because there's
> Microsoft code coming down along with the exploit. Not to say that my
> code is less buggy than Microsoft's (at least, not if I wrote a few
> billion lines of it) rather that it's third-party software and may be
> subject to unforeseen security risks, incompatibilities or other
> maladies (ala COM Object Instantiation or MS06-015).
>
> - --
> "Social Darwinism: Try to make something idiot-proof,
> nature will provide you with a better idiot."
>
> -- Michael Holstein
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment:
>
> iD8DBQFEULsifp4vUrVETTgRA+22AKCl1mkmE5EVB2R+Nv+H64VynQccmQCcCPMx
> oGy6Mz4Lcoj7ZyPhQ+LEB2I=
> =+LbS
> -----END PGP SIGNATURE-----
>
Title: Internet Explorer ActiveX Installation Vulnerability
