Return-Path: owner-bugtraq@SECURITYFOCUS.COM X-Mailer: Mozilla 4.72 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Message-ID: <38BD37F6.C9B3F8B@nat.bg> Date: Wed, 1 Mar 2000 17:32:06 +0200 Reply-To: Georgi Guninski Sender: Bugtraq List From: Georgi Guninski Subject: IE 5.x allows executing arbitrary programs using .chm files X-To: Bugtraq To: BUGTRAQ@SECURITYFOCUS.COM Georgi Guninski security advisory #8, 2000 IE 5.x allows executing arbitrary programs using .chm files Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: There is a vulnerability in IE 5.x for Win95/WinNT (probably others) which allows executing arbitrary programs using .chm files. Microsoft Networking must be installed. Details: The problem is the window.showHelp() method which opens .chm files. IE disallows opening .chm files with the http protocol, but allows opening if the .chm file resides on MS networking server or a local drive. In this case the .chm file is opened even if it is on a remote host. In turn .chm files may execute arbitrary programs using the "shortcut" command. Demonstration which starts Wordpad: http://www.nat.bg/~joro/chm3.html Workaround: Disable Active Scripting. Copyright Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro