Internet Explorer (6/7/8) Remote Code Execution - Remote User Add Exploit

Suriya Raj Natarajan & Diwakar Ganesan March 04, 2010

Blog tags: Malware, Vulnerabilities / Exploits

Objective

A malicious web site can be crafted using an exploit code that will allow IE (Internet Explorer) to be compromised and allow code to be executed on your computer.

The more severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using IE. User accounts with limited privileges on the system could be less impacted than administrative users accounts with full user rights.

Affected platforms: Microsoft Internet Explorer (versions 6, 7 and 8)

How does this exploit work?

At the attacker’s end

The original exploit code is available as a PERL script, which can be used to create an exploitable HTML web page that has the information about the current user accounts available in the victim’s computer. It can also create a new user with administrator privileges.

Fig1.1 Creating HTML webpage using PERL script

Using the exploit script code we can create an exploitable HTML web page with information given below which can be seen in the image Fig 1.1,

Port number (any)
Remote user account name
Remote user account password
Test IP (attackers IP)

After executing the PERL script, it will create the HTML file in the folder public_html inside the PERL script source directory.

At the victim’s end

The generated link from the exploit code is being accessed from the victim’s end, as illustraded below in Fig 1.2 :

Fig 1.2 Accessing the HTML link generated from exploit code

Before the crafted web page that contains the exploit is accessed, the command “net user” shows the list of user accounts available on the victim’s machine, as shown in Fig 1.3 below:

Fig 1.3 User account information before exploitation

After the crafted exploit web link is accessed by the victim’s machine, a new user account named “test” is created, which is already defined while creating the exploit HTML, which can be seen in Fig(1.4) .

Fig 1.4 User account information after exploitation

Outcome of this attack

With access with administrative privileges to the victim’s computer, the attacker can download and execute arbitrary codes, thus making the victim’s computer more vulnerable to further malware attacks.

The attacker may also use the victim’s computer as a Malware Distribution System since he has a separate administrator account.

Conclusion

Currently no patches have been released by Microsoft for this exploit. Alternatively, using other browsers like Firefox would be a preventive measure.

Reference:

http://www.exploit-db.com/exploits/11457

http://www.moosoft.com/blog/2010/01/15/internet-explorer-0-day-exploit-allows-remote-code-execution/

Add comment

If you find the content of this comment offensive, you can report it and our crew will have a look at it

Comments

78117

Spam (10)

Vulnerabilities / Exploits (33)

Blog archive

August 2011 (1)

June 2011 (1)

May 2011 (2)

April 2011 (5)

March 2011 (5)

February 2011 (4)

January 2011 (11)

December 2010 (8)

November 2010 (5)

October 2010 (3)

September 2010 (5)

August 2010 (5)

July 2010 (3)

June 2010 (12)

May 2010 (5)

April 2010 (2)

March 2010 (2)

February 2010 (1)

January 2010 (2)

December 2009 (1)

October 2009 (5)

September 2009 (4)

August 2009 (1)

June 2009 (1)

May 2009 (3)

April 2009 (2)

March 2009 (8)

February 2009 (4)

January 2009 (2)

November 2008 (6)

October 2008 (5)

RSS FEEDS

Latest Security articles

Latest Blog items