Re: More reading of local files in MSIE

[the Pull <osioniusx () yahoo com>]

--- jelmer <jelmer () kuperus xs4all nl> wrote:
> More reading of local files in MSIE
>
> Description
>
>
> There is a security vulnerability in IE 5.5 and 6
> (probably other
> versions as well) which allows reading and sending
> of local files.
> The problem lies in the fact that you are able to
> access a local file's
> dom by calling the execScript function on a newly
> created window
> The sample exploit provided can only read browser
> readable files 

It might be noted here that this tends to be
"text/html", and probably the most single vulnerable
filetype that is of this kind is of ".log" format.
This means if you can read "c:\file.txt" you can also
read Apache, IIS, database, Mirc, and whatever other
type of .log files might be on someone's system except
for one's locked by a system process.

... however, from looking at the source code it
contains the same usage of document.write() which was
in the bug I just released.

Jelmer's:
"        extDoc =
document.open('file:///C:/jelmer.txt','jelmer','height=200,width=400,status=no,toolbar=no,menubar=no,location=no');"

mine:
var y = document.open( "c:/test.txt", "x",
"width=400,height=400,status = yes, location =
yes,resizable = yes, toolbar=yes" );

It doesn't matter if it is "cmd  =
'extDoc.execScript("alert(document.body.innerText)",
"Jscript");';" that is able to read the code or this:
setTimeout('alert(y.document.body.innerHTML);y.document.close();',1000);
-- they are just the same thing.

(ref: http://www.osioniusx.com document.write()) bug.

Basically, the problem is that when the
document.write() uses the window.open() method as
described on the msdn website for the method here:

http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/open_1.asp

The actual exploit code doesn't really matter. I
understand the misunderstanding because it is just
simply such a common method.



> however
> it is highly likely that reading binary files is
> possible as well
> (By attaching an event to the dom that calls the
> httpxmlcomponent, witch
> itself at the point of writing is still vulnerable
> as well) 
> In order for this exploit to work the file name must
> be known. 
>
> Risk
>
> High
>
> Systems affected:
>
> The vulnerability has been successfully exploited on
> IE 6 / Windows XP with all patches installed
> IE 5.5 / Windows ME
>
>
> Most likely other operating system / internet
> explorer versions are
> vulnerable as well I have not tested it though
>
> Vendor status: 
>
> I send Microsoft a cc of my bugtraq post
>
> Example: 
>
> A working example is available at
> http://www.xs4all.nl/~jkuperus/bug2.htm
> Workaround:
>
> Disable active scripting
>
>
> -- Insert some random nasty remarks about Microsoft
> at the dotted line


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/