lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0412081116530.12520@fingers.shocking.com>
Date: Wed, 8 Dec 2004 11:19:38 -0800 (PST)
From: RSnake <rsnake@...cking.com>
To: ViPeR <viper31337@...oo.co.in>
Cc: bugtraq@...urityfocus.com, webappsec@...urityfocus.com
Subject: Re: IE6 Vulnerability - Local File Detection



	This may be obvious, but using this proof of concept you can see
	how it can be used to do remote OS detection as well as
	vulnerability detection (seems bad).  You need IE with JS
	on to view the demo:

	http://www.shocking.com/~rsnake/detect.html

On Tue, 7 Dec 2004, ViPeR wrote:

| Date: Tue, 7 Dec 2004 12:19:35 +0000 (GMT)
| From: ViPeR <viper31337@...oo.co.in>
| To: bugtraq@...urityfocus.com
| Subject: IE6 Vulnerability - Local File Detection
| 
| Affected Software : Microsoft Internet Explorer
| Vulnerability : Local File Detection
| 
| Tested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date]
| according to windowsupdate.com
| 
| Discovered by : Gregory R. Panakkal
| 
| 
| Overview
| ========
| This security vulnerability in Internet Explorer
| allows remote attackers to discover what software is
| installed on the remote computer, by testing for the
| existence of certain files. 
| 
| The "sysimage://" protocol is used to display the
| appropriate icon corresponding to a  file path when
| viewed from MSIE. The default behaviour is such, that
| if a existing file-path is given as input, it displays
| the approritate icon [as described above], but if the
| file-path supplied doesn't exists, it loads the icon
| of a folder instead [ie, it gives out no error].
| 
| But as always, there is a way to bypass it.. and let
| us differentiate between a valid path and an invalid
| one, and thus using the onLoad and onError event
| handlers, the 'local file detection' is a piece of
| cake.
| 
| There isn't much of a documentation on the net
| regarding the "sysimage://", atleast google didn't
| show up anything useful :(
| 
| 
| 
| Proof Of Concept
| ================
| 
| <img src="sysimage://C:\WINNT\Notepad.exe,666"
| onLoad="document.write('<b>Cannot Find File!</b>');"
| onError="document.write('<b>File Exists!</b>');">
| 
| 
| Demo
| ====
| 
| A demonstration is available at the following URL.
| 
| http://crapware.lx.ro/junkcode/security/ie-sp1-sysimage-local-file-existence.htm
| 
| 
| Greetz to
| =========
| Liu Die Yu, Rakesh Balasunder
| 
| 
| rgds,
| Gregory R. Panakkal 
| (aka JunkCode / Viper)
| 
| ________________________________________________________________________
| Yahoo! India Matrimony: Find your life partner online
| Go to: http://yahoo.shaadi.com/india-matrimony
| 

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is 
expressly prohibited and may be unlawful.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ