From: Noller, Jesse [Jesse.Noller@STAPLES.COM] Sent: Tuesday, June 08, 1999 8:42 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: IE 5.0 and HTAs Security hole Good day: I recently set up an NT box, with just the basic setup, no other modifications, other than SP5, and an installation of Internet Explorer 5.0. I was pondering writing some HTAs (HTML Applications) for my web-design business when I thought about the relationship between IE 5.0 and HTA's. After some testing with different types of code and operating systems, a certain realization occured to me. One of the main advantages of HTAs over regular Web pages, is that they are fully trusted. As such, HTAs are allowed actions that Internet Explorer would never approve of for Web pages. The bottom line is that HTAs do not bother the user with questions and interruptions. They are *fully* trusted. There are several implications for being a trusted application. HTAs have read/write access to the system registry on the client machine. HTAs run embedded ActiveX controls and Java applets without any warning. Zone security is off for HTAs, so all operations subject to security zone options are nevertheless permitted for HTAs. So, I program a VB program set to nuke certain system files (Virus Scan system files, Ini's, even registry keys), attaching it to an installshield wizard. So, instead of allowing the typical user to download and run the program, where, possibly, my hostile code, and program might otherwise be discovered, I simply say, "Please run this application from the current location". Although advanced users would know better, this is becoming the norm, so, many users might not. I have now opened the door, inserted my code, and destroyed your data. Now, when running something like this under administrator privileges in NT, not only does it open the registry, but the entire system. Simple trojans like netbus can then be installed without end-user knowledge. It can also allow for theft of encrypted data and password files. Although precautions for this can be taken, as I stated earlier, many user might not know. I know on our local intranet, we run HTAs frequently for software updates. Microsoft has end-users execute them also. This security hole affects all versions of win 9x/NT. My main testing simply consisted of me downloading multiple types of virus scanning utilities, installing them, then building the Installshield, and attaching Netbus and a hostile VB program to wipe out viruscan system files, reboot the machine, and continue the install. I then programmed the HTA, and executed it on more than Win box. Netbus was succsessfully installed, giving me system access. I, however, had been logged in as Admin. Many people might not do this on console regularly, but many do. I do believe, however, this bug is reliant on having IE 5.0 INSTALLED ON THE MACHINE. I have not yet had a chance to test it with anything lower. Please let me know what you think. -Jesse Noller Consultant - New Boston Systems jesse.noller@staples.com Bill Gates on marking territory: "I don't know if he's referring to pissing on JFC or pissing on JDK 1.2. Nor do I know is what he specifically means by 'pissing on'.... I think it's a term of multiple meanings." Bill Gates, in videotaped testimony, responding to questions about an email message from Microsoft's Ben Slivka that discussed Microsoft's strategy toward Java Foundation Classes included in the Java Development Kit 1.2.