IE 5 Allows Arbitrary Code Execution

 
IE 5 Allows Arbitrary Code Execution

Reported March 3, 2000 by Georgi Guninski

VERSIONS AFFECTED
Internet Explorer 5.x

DESCRIPTION

There is a vulnerability in IE 5.x for Win95 and WinNT (possibly other platforms) that allows the execution of arbitrary programs using files with the .chm extension. Microsoft Networking must be installed for this exploit to work.

The problem is the window.showHelp() method which opens .chm files. IE disallows the opening of remote .chm files via the HTTP protocol, however the files may still be opened if the .chm file resides on  network server or a local drive.

In this case the .chm file is opened even if it is on a remote host. In turn .chm files may execute arbitrary programs using the "shortcut" command.

DEMONSTRATION

Georgi has posted a demonstration page on his Web site, which starts Wordpad. Click here for the demo.

VENDOR RESPONSE

Microsoft is aware of this issue, however no response was known at the time of this writing.

CREDITS
Discovered by Georgi Guninski

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish