Bugtraq mailing list archives
Re: Internet Explorer and Opera local zone restriction bypass
From: Andreas Sandblad <sandblad () acc umu se>
Date: Sun, 26 Oct 2003 10:09:52 +0100 (CET)
I can only reproduce it together with user-interaction, that is manually pressing refresh in Internet Explorer. I did some attempts to try to automaticly refresh the page using javascript but without any luck (denied access due to cross-site-policy). If this vulnerability depends both on manually pressing refresh and knowing the username of the person visiting the malicious page (exact path to known local file), then actual exploitation becomes much harder. Environment: Latest fully patched IE on Win 2000 pro. /Andreas Sandblad On Fri, 24 Oct 2003, Mindwarper * wrote:
Internet Explorer and Opera local zone restriction bypass. =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= ---------------------- Vendor Information: ---------------------- Homepage : http://www.microsoft.com Vendor : informed Mailed advisory: 23/10/03 Vender Response : None yet ---------------------- Affected Versions: ---------------------- All version of IE 6 Possibly 5.x too ---------------------- Description: ---------------------- Microsoft Internet Explorer does not allow local file access by a remote host by default. By creating an iframe which points on a specially crafted cgi script (using the location header to confuse IE), it is possible to cause IE to execute any local file through the iframe with local zone restrictions. This then allows remote arbitrary file execution on the victim without having the victim do a thing except load the page. Opera seems to not only be affected by this vulnerability, but it also allows direct local file access through iframes without any cgi scripts. Unlike IE where it is possible to set activex objects to execute arbitrary files, in Opera it is not. There may be a way, but I am currently not aware of any. ---------------------- Exploit: ---------------------- I have created a proof of concept page, but I did not show or explain how the cgi scripts nor the flash file work exactly to prevent kiddie abuse. For IE: http://www.mlsecurity.com/ie/ie.htm For Opera: <iframe name="abc" src="file:///C:/"></iframe> ---------------------- Solution: ---------------------- Check Microsoft's website frequently until a new patch comes out. ---------------------- Contact: ---------------------- - Mindwarper - mindwarper () linuxmail org - http://mlsecurity.com
--
_ _
o' \,=./ `o
(o o)
-ooO--(_)--Ooo-
Current thread:
- Internet Explorer and Opera local zone restriction bypass Mindwarper * (Oct 24)
- Re: Internet Explorer and Opera local zone restriction bypass Jort Slobbe (Oct 24)
- Re: Internet Explorer and Opera local zone restriction bypass jelmer (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Andreas Sandblad (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Andreas Sandblad (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass jelmer (Oct 28)
- <Possible follow-ups>
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 27)
- RE: Internet Explorer and Opera local zone restriction bypass Mindwarper * (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Heikki Toivonen (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Mohsen Hariri (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 27)
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 28)
- Re: Internet Explorer and Opera local zone restriction bypass Bipin Gautam hUNT3R (Oct 28)
- Re: Internet Explorer and Opera local zone restriction bypass william schulze (Oct 30)
(Thread continues...)
- Re: Internet Explorer and Opera local zone restriction bypass Jort Slobbe (Oct 24)