[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6905b1570702200157i6f13e8f1kc59bdd8f9b58d401@mail.gmail.com>
Date: Tue, 20 Feb 2007 09:57:30 +0000
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "Rajesh Sethumadhavan" <rajesh.sethumadhavan@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Internet Explorer Local File
Accesses Vulnerability
hi Rajesh,
Maybe it is too early in the morning in UK and that's why I may act
like a stupid, but how come this is a vulnerability? For sure you can
open files from the file system by using various HTML elements but can
you really read their content, I don't think so.
Firefox has done a good job in restricting access to local files if
they are called from remote locations such as http and https. This
rule, however, can be circumvented in a number of ways. IE does
perform some of these checks, although, I have tested the POC you
provided and I cannot see it working. I am running XP SP2, no lock
downs what so ever.
I see how this trick can be used to identify the operating system
version but again, this is not a new thing. You can do similar stuff
with the res:// protocol. In fact you can use this protocol to
identify currently installed applications, which I believe is pretty
cool.
So, can you explain why this is a hole and how it can be used by attackers? :)
Thanks man,
All the best
On 2/19/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com> wrote:
>
>
> Microsoft Internet Explorer Local File Accesses Vulnerability
>
> #####################################################################
> XDisclose Advisory : XD100099
> Vulnerability Discovered : February 10th 07
> Advisory Released : February 20th 07
> Credit : Rajesh Sethumadhavan
>
> Class : Local File Accesses
> Severity : Critical
> Solution Status : Unpatched
> Vendor : Microsoft Corporation
> Affected applications : Microsoft Internet Explorer
> Affected version : Microsoft Internet Explorer 6 confirmed
> (Other versions may be
> also affected)
> Affected Platform : Windows XP Professional SP0,SP1,SP2
> Windows Home Edition
> SP0,SP1,SP2
> Windows 2003
>
> #####################################################################
>
>
> Overview:
> Microsoft Internet Explorer is a default browser bundled with all
> versions of Microsoft Windows operating system.
>
> Description:
> A vulnerability has been identified in Microsoft Internet Explorer,
> (default installation) in windows XP service pack 2 which could be
> exploited by malicious users to obtain victims local files. This flaw
> is due to an error in the way Microsoft Internet explorer handles
> different html tags. Which could be exploited by a malicious remote
> user to obtain sensitive local files from the victim's computer.
> Vulnerability Insight :
> Microsoft Windows explorer is not handling various html tags like "img"
> "script" "embed" "object" "param" "style" "bgsound" "body" "input"
> (Other tags may be also vulnerable). By using the file protocol along
> with above tags it is possible to accesses victims local files.
>
> a) Embed Tag Local file Accesses:
> ---------------------------------------------------------------------
> <EMBED SRC="file:///C:/test.pdf" HEIGHT=600 WIDTH=1440></EMBED>
> ---------------------------------------------------------------------
>
> b) Object & Param Tag Local File Accesses:
> ---------------------------------------------------------------------
> <object type="audio/x-mid" data=" file:///C:/test.mid" width="200"
> height="20">
> <param name="src" value="file:///C:/test.mid">
> <param name="autoStart" value="true">
> <param name="autoStart" value="0">
> </object>
> ---------------------------------------------------------------------
>
> c) Body Tag Local File Accesses:
> ---------------------------------------------------------------------
> <body background="file:///C:/test.gif" onload="alert('loading body
> bgrd success')" onerror="alert('loading body bgrd error')">
> ---------------------------------------------------------------------
>
> d) Style Tag Local File Accesses:
> ---------------------------------------------------------------------
> <STYLE type="text/css">BODY{background:url("
> file:///C:/test.gif")}
> </STYLE>
> ---------------------------------------------------------------------
>
> e) Bgsound Tag Local File Accesses:
> ---------------------------------------------------------------------
> <bgsound src="file:///C:/test.mid" id="soundeffect" loop=1 autostart=
> "true"/>
> ---------------------------------------------------------------------
>
> f) Input Tag Local File Accesses:
> ---------------------------------------------------------------------
> <form>
> <input type="image" src=" file:///C:/test.gif" onload="alert('loading
> input success')" onerror="alert('loading input error')">
> </form>
> ---------------------------------------------------------------------
>
> g) Image Tag Local File Accesses:
> ---------------------------------------------------------------------
> <img src="file:///C:/test.jpg" onload="alert('loading image success')"
> onerror="alert('loading image error')">
> ---------------------------------------------------------------------
>
> h) Script Tag Local File Accesses:
> ---------------------------------------------------------------------
> <script src="file:///C:/test.js"></script >
> ---------------------------------------------------------------------
>
>
> Exploitation method:
> - Creates a web page or an HTML Mail with the vulnerable code
> - When the victim opens the mail or visit the vulnerable site it is
> possible to accesses his local files.
>
> Demonstration:
> Note: Demonstration will try to accesses few default images and wave
> files
>
> - Visit the POC
> - If vulnerable internet explorer is used it will show your local
> sample images and give a proper alert.
>
> Solution:
> No solution
>
> Screenshot:
> http://www.xdisclose.com/images/xdiscloselocalie.jpg
>
> Proof Of Concept:
> http://www.xdisclose.com/poc/xdiscloselocalie.html
>
> Impact:
> A Remote user can get accesses to victims local system files.
>
> Scope of impact is limited to system level.
>
> Original Advisory:
> http://www.xdisclose.com/XD100099.txt
>
> Credits:
> Rajesh Sethumadhavan has been credited with the discovery of this
> vulnerability
>
> Disclaimer:
> This entire document is strictly for educational, testing and
> demonstrating purpose only. Modification use and/or publishing this
> information is entirely on your own risk. The exploit code is to be
> used on your testing environment only. I am not liable for any direct
> or indirect damages caused as a result of using the information or
> demonstrations provided in any part of this advisory.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists