From: Mnemonix [mnemonix@GLOBALNET.CO.UK]
Sent: Sunday, September 05, 1999 9:32 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: COM, Internet Explorer, NT4 and Windows 2000

COM (the Component Object Model) allows client applications to communicate
with server applications, regardless of the server's location - whether the
server is in the client's process address space or on a remote computer
across the other side of the planet. A good example of a COM's use is
ActiveX. COM provides the basis of the underlying technology of ActiveX.
When the author of a web page wants to embed an ActiveX control in their
page they reference it by its CLASSID and create an instance of an object
for it. The then use the new object's ID to use its functionality. ActiveX
controls, and indeed all other COM based apps are registered in the Registry
under HKCC\****.

Now, instead of creating an object out of a registered ActiveX control, it
is possible to do the following:

<SCRIPT LANGUAGE=VBScript>
Set WWObj = CreateObject("Word.Document")
WWObj.SaveAs("c:\Mnemonix.doc")
</SCRIPT>

This HTML code creates a WWObj object using the registered Word.Document and
conseqently Internet Explorer requests of  the (COM) Service Control Manager
(RPCSS.EXE on NT4 and svchost.exe on Windows 2000) to start whatever app is
registered with Word.Document which it does. Before WWObj.SaveAs() is run
however Internet Explorer pops up a message about untrusted ActiveX controls
and how you should run them. Fine - well not really because winword.exe is
already running - open up the Task Manager to see it.

From here you have two choices. Clicking on "Yes" runs the rest of the code
and a file called "mnemonix.doc" is created on the root of the C: drive. A
definite please-don't-do-that-again - (Rhetoric: Would it take too much to
write to the file and save it as normal.dot - no macro warnings? hmmm.) On
the other hand clicking on "No" terminates the app. What if we don't create
a Word.Document object though?

On Windows 2000 (Beta 3), and boy what a mess with COM there, there's a
telnet server - but it's not started by default. No problem - send the user
and HTML mail with

<SCRIPT LANGUAGE=VBScript>
CreateObject("TlntSvr.EnumTelnetClientsSvr")
</SCRIPT>

In Outlook Express 5 even just highlighting the subject line will start the
telnet service - even if a plain old user is logged on. Sure, the security
message will popup but clicking on "No" doesn't terminate the service. (Nice
back door? Incidently as far as I can tell, though I've not researched it
enough yet - the telnet service uses the default DCOM security settings -
anyone with a local account can remotely start the service)

So what's the vulnerability or (ies) here? Well we can create an instance of
an app on someone's machine (mspaint.exe, winword.exe, wordpad.exe, blah,
blah - just look through the HKCR portion of the registry and you'll get the
picture) or in some cases as many instances as we want. Excel for example -
using a web page or e-mail that uses frames it's possible to create an
instance of Excel for each frame - only 32 megs of RAM? - sheesh - get an
upgrade ;-)

Oh and we can start services too.

I'm still playing around with this COM stuff - looks like it's going to be a
lot of fun ;-)
Cheers,
David Litchfield
http://www.arca.com
http://www.infowar.co.uk/mnemonix