lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001e01c32abf$38d5ed50$0c351c41@basement>
Date: Wed, 4 Jun 2003 12:32:05 -0500
From: "Matthew Murphy" <mattmurphy@...rr.com>
To: "BugTraq" <bugtraq@...urityfocus.com>,
   "Full Disclosure" <full-disclosure@...ts.netsys.com>,
   "VulnWatch" <vulnwatch@...nwatch.org>,
   "SecurITeam News" <news@...uriteam.com>
Subject: (Another) Microsoft Internet Explorer FTP Security Hole


Microsoft Internet Explorer FTP Classic View Cross-Domain Scripting

I. Synopsis

Affected Software:
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 6.0

* Prior versions may be vulnerable; they are un-supported and were not
tested.

Risk: Moderate
Impact: Execute code of attacker's choice in security zones of arbitrary
sites
Vendor: Microsoft Corporation (http://www.microsoft.com/ie)
Author: Matthew Murphy (mattmurphy@...rr.com)
Status: Reported in January 2003; no response for nearly four months

II. Product Description

Microsoft's Internet Explorer remains the most popular browser on the
Windows platform.  IE for Windows supports several protocols with native
functionality (FTP, HTTP, Gopher, WebDAV), and several others with
extensions and plug-ins for other applications.  The browser also supports
security features like SSL/TLS, Java permissions, and code signing.

III. Vulnerability Details

Internet Explorer's FTP implementation offers two "view" settings.  The
default, "folder view" is a Windows Explorer-like view that represents an
FTP directory as a Windows folder.  This is similar to the browser's support
for WebDAV (Web Folders).  The second option, "classic view", offers a style
similar to what is seen on competing browsers -- FTP directory are
represented by a simple list of links, with a heading describing the
directory being viewed.

A security vulnerability is present in the "classic" view of Internet
Explorer's FTP implementation.  This now means that both views are unsafe
for most users, as the previous folder view vulnerability (reported by Eiji
Yoshida), remains only partially patched as of this advisory.  The "classic"
view generates a heading tag to describe the content being viewed.  For
instance, if the user is browsing 'ftp://localhost/', they will see:

<H1>FTP root at localhost</H1>

as part of the returned HTML listing.  Unfortunately, this piece of code is
not generated securely.  For the purposes of our testing, we'll use
"example.com".  Now, there are FTP and HTTP servers at example.com, and
users can use either of "ftp.example.com" or "www.example.com" (or simply
"example.com") to access the same system.  This is sometimes implemented
(particularly with dynamic DNS providers) as a wildcard "A" record that
resolves "*.example.com" to "example.com", which then resolves to the host
in question.  Using a combination of this functionality and the ability to
decode URL sequences in Internet Explorer's hostname functionality, we
exploit this as follows:

ftp://%3cimg%20src%3d%22%22%20onerror%3d%22alert%28document%2eURL%29%22%3e.e
xample.com/

And the following heading is created:

<H1>FTP root at <img src="" onerror="alert(document.URL)"></H1>

And the onerror event always fires as the current URL references a directory
listing.  By placing more complex code in the hostname, it may be possible
to inject code across domain boundaries (if the attacked site is "Trusted"
by the user).  This is the only possible feasible compromise scenario.

IV. Impact

The impact of this vulnerability is relatively minor, as most sites do not
allow wildcard lookups to be used, preventing the script code entered from
running.  However, exploitation requires only one trust relationship to be
broken.

V. Vendor Response / Workarounds

As of today the vendor response on this issue is: ABSOLUTELY NONE.
Therefore, I feel I am forced to suggest a simple workaround in the abscence
of an acceptable vendor response on this issue.  To prevent exploitation of
FTP sites, enable the following settings:

In the "Tools" menu, the sub-item "Internet Options" will open a window with
a several tabs.  Under the "Connections" tab are two settings boxes.

If you are a dial-up internet user, find your default connection, and click
"Settings".  Under the "Proxy Server" item, make sure that the box entitled
"Use a proxy server for this connection" is checked.  Click "Advanced".

If you are a user that connects via an LAN or other persistent connection,
click "LAN Settings".  Make sure that "Use a proxy server for your LAN" is
checked.  Click the "Advanced" button next to the checkbox.

Make sure that the "Use the same proxy server for all protocols" box is
unchecked.  In the text boxes around "FTP", enter "127.0.0.1", and "0".
Port 0 is not a valid connection endpoint, so all FTP communications will
now fail.  This effectively disables all FTP access, but can be reversed
temporarily to access known-good FTP links.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ