From: Posick, Steve [steve.posick@ESPN.COM]
Sent: Wednesday, August 18, 1999 12:22 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Internet Explorer 5.0 HTML Applications

In response to Bryan's article about the possible dangers of HTML
applications me and a colleague (Jesse Raccio) worked up a demonstration for
our security personal to demonstrate the possible threat.  The HTA we
developed displays a pop up frame that contains some trivial text and a
VBScript that will download an executable from a specified web site and
place it into the Win98 startup group as well as upload any .PWL files that
exist in the Windows Root directory.

Here's How it works.
This application works by using the IE 5 and FileSystemObject Active X
controls and some very simple scripting.
The first thing the HTA does is use IE to view an exe file (renamed to a txt
extension) on the remote web server.  This places the exe into IE's cache
for later retrieval.  We had to do this because Micro$oft has apparently
gone through (not so) great lengths to prevent the writing of binary files
through HTA's.  We then use the FileSystemObject to move and rename our
cached exe to a more suitable location (In this case that startup
directory).  This same technique can be used to trojan any file the current
user has access too.  We have no reason not to believe that this will also
work on NT.  (We have a demo we just can't test it at the moment)

Solution
Disable File Downloads or disassociate .HTA files from MSHTA.exe.  Disabling
scripting does not stop this, we believe it is dew to the fact that the HTA
is already on the local system at the time of execution, thus making it
trusted.