lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Dec 2004 12:19:35 +0000 (GMT)
From: ViPeR <viper31337@...oo.co.in>
To: bugtraq@...urityfocus.com
Subject: IE6 Vulnerability - Local File Detection


Affected Software : Microsoft Internet Explorer
Vulnerability : Local File Detection

Tested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date]
according to windowsupdate.com

Discovered by : Gregory R. Panakkal


Overview
========
This security vulnerability in Internet Explorer
allows remote attackers to discover what software is
installed on the remote computer, by testing for the
existence of certain files. 

The "sysimage://" protocol is used to display the
appropriate icon corresponding to a  file path when
viewed from MSIE. The default behaviour is such, that
if a existing file-path is given as input, it displays
the approritate icon [as described above], but if the
file-path supplied doesn't exists, it loads the icon
of a folder instead [ie, it gives out no error].

But as always, there is a way to bypass it.. and let
us differentiate between a valid path and an invalid
one, and thus using the onLoad and onError event
handlers, the 'local file detection' is a piece of
cake.

There isn't much of a documentation on the net
regarding the "sysimage://", atleast google didn't
show up anything useful :(



Proof Of Concept
================

<img src="sysimage://C:\WINNT\Notepad.exe,666"
onLoad="document.write('<b>Cannot Find File!</b>');"
onError="document.write('<b>File Exists!</b>');">


Demo
====

A demonstration is available at the following URL.

http://crapware.lx.ro/junkcode/security/ie-sp1-sysimage-local-file-existence.htm


Greetz to
=========
Liu Die Yu, Rakesh Balasunder


rgds,
Gregory R. Panakkal 
(aka JunkCode / Viper)

________________________________________________________________________
Yahoo! India Matrimony: Find your life partner online
Go to: http://yahoo.shaadi.com/india-matrimony


Powered by blists - more mailing lists