lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 24 Oct 2003 21:02:41 +0200
From: Jort Slobbe <jortslobbe@...net.nl>
To: Mindwarper * <mindwarper@...uxmail.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Internet Explorer and Opera local zone restriction bypass


Mindwarper * wrote:

>Internet Explorer and Opera local zone restriction bypass.
>=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
>
>----------------------
>Vendor Information:
>---------------------- 
>
>Homepage : http://www.microsoft.com
>Vendor : informed
>Mailed advisory: 23/10/03
>Vender Response : None yet
>
>
>----------------------
>Affected Versions:
>----------------------
>
>All version of IE 6
>Possibly 5.x too
>
>
>----------------------
>Description:
>----------------------
>
>Microsoft Internet Explorer does not allow local file access by a remote host by default.
>By creating an iframe which points on a specially crafted cgi script (using the location header 
>to confuse IE), it is possible to cause IE to execute any local file through the iframe with local 
>zone restrictions. This then allows remote arbitrary file execution on the victim without having
>the victim do a thing except load the page.
>Opera seems to not only be affected by this vulnerability, but it also allows direct
>local file access through iframes without any cgi scripts. Unlike IE where it is possible
>to set activex objects to execute arbitrary files, in Opera it is not. There may be a way,
>but I am currently not aware of any.
>
>
>----------------------
>Exploit:
>----------------------
>
>I have created a proof of concept page, but I did not show or explain how the cgi scripts
>nor the flash file work exactly to prevent kiddie abuse.
>
>For IE: http://www.mlsecurity.com/ie/ie.htm
>
>For Opera: <iframe name="abc" src="file:///C:/"></iframe>
>
>----------------------
>Solution:
>---------------------- 
>
>Check Microsoft's website frequently until a new patch comes out.
>
>----------------------
>Contact:
>----------------------
>
>- Mindwarper
>- mindwarper@...uxmail.org
>- http://mlsecurity.com
>
>  
>
It doesn't work here. I have win2k sp4 with IE6 sp1. I didn't see the 
weird stuff in  the iframe. I have clicked 10 times refresh and the 
Iframe is as blank as possible ;). When i clicked on the go go go button 
nothing were created. Maybe i'm not vurnable?

Regards
Jort

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ