Full Disclosure mailing list archives
Re: Microsoft Internet Explorer Local File Accesses Vulnerability
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 20 Feb 2007 15:29:10 +0300
Dear Rajesh Sethumadhavan, As Michal Zalewski pointed, there is no "critical" security impact, because you (as attacker) can force browser to open files (it's common thing, you can do it in any browser), but you can not access content of these files. The only security impact in few cases is checking existence of image/sound files. It's possible to discover system drive or if some specific software is installed by the presence of the files. This impact is definitely not critical and it was discussed. --Tuesday, February 20, 2007, 1:21:25 AM, you wrote to vuln () security nnov ru: RS> *Microsoft Internet Explorer Local File Accesses Vulnerability* RS> ##################################################################### RS> XDisclose Advisory : XD100099 RS> Vulnerability Discovered : February 10th 07 RS> Advisory Released : February 20th 07 RS> Credit : Rajesh Sethumadhavan RS> Class : Local File Accesses RS> Severity : Critical RS> Solution Status : Unpatched RS> Vendor : Microsoft Corporation RS> Affected applications : Microsoft Internet Explorer RS> Affected version : Microsoft Internet Explorer 6 confirmed RS> (Other versions may be also affected) RS> Affected Platform : Windows XP Professional SP0,SP1,SP2 RS> Windows Home Edition SP0,SP1,SP2 RS> Windows 2003 RS> ##################################################################### RS> *Overview:* RS> Microsoft Internet Explorer is a default browser bundled with all RS> versions of Microsoft Windows operating system. RS> *Description: RS> *A vulnerability has been identified in Microsoft Internet Explorer, RS> (default installation) in windows XP service pack 2 which could be RS> exploited by malicious users to obtain victims local files. This flaw RS> is due to an error in the way Microsoft Internet explorer handles RS> different html tags. Which could be exploited by a malicious remote RS> user to obtain sensitive local files from the victim's computer. RS> *Vulnerability Insight :* RS> Microsoft Windows explorer is not handling various html tags like "img" RS> "script" "embed" "object" "param" "style" "bgsound" "body" "input" RS> (Other tags may be also vulnerable). By using the file protocol along RS> with above tags it is possible to accesses victims local files. RS> *a)* Embed Tag Local file Accesses: RS> --------------------------------------------------------------------- RS> <EMBED SRC="file:///C:/test.pdf" HEIGHT=600 WIDTH=1440></EMBED> RS> --------------------------------------------------------------------- RS> *b) *Object & Param Tag Local File Accesses: RS> --------------------------------------------------------------------- RS> <object type="audio/x-mid" data="file:///C:/test.mid" width="200" RS> height="20"> RS> <param name="src" value="file:///C:/test.mid"> RS> <param name="autoStart" value="true"> RS> <param name="autoStart" value="0"> RS> </object> RS> --------------------------------------------------------------------- RS> *c)* Body Tag Local File Accesses: RS> --------------------------------------------------------------------- RS> <body background="file:///C:/test.gif" onload="alert('loading body RS> bgrd success')" onerror="alert('loading body bgrd error')"> RS> --------------------------------------------------------------------- RS> *d)* Style Tag Local File Accesses: RS> --------------------------------------------------------------------- RS> <STYLE type="text/css">BODY{background:url("file:///C:/test.gif")} RS> </STYLE> RS> --------------------------------------------------------------------- RS> *e)* Bgsound Tag Local File Accesses: RS> --------------------------------------------------------------------- RS> <bgsound src="file:///C:/test.mid" id="soundeffect" loop=1 autostart= RS> "true"/> RS> --------------------------------------------------------------------- RS> *f)* Input Tag Local File Accesses: RS> --------------------------------------------------------------------- RS> <form> RS> <input type="image" src="file:///C:/test.gif" onload="alert('loading RS> input success')" onerror="alert('loading input error')"> RS> </form> RS> --------------------------------------------------------------------- RS> *g)* Image Tag Local File Accesses: RS> --------------------------------------------------------------------- RS> <img src="file:///C:/test.jpg" onload="alert('loading image success')" RS> onerror="alert('loading image error')"> RS> --------------------------------------------------------------------- RS> *h)* Script Tag Local File Accesses: RS> --------------------------------------------------------------------- RS> <script src="file:///C:/test.js"></script> RS> --------------------------------------------------------------------- RS> *Exploitation method:* RS> - Creates a web page or an HTML Mail with the vulnerable code RS> - When the victim opens the mail or visit the vulnerable site it is RS> possible to accesses his local files. RS> *Demonstration:* RS> Note: Demonstration will try to accesses few default images and wave RS> files RS> - Visit the POC RS> - If vulnerable internet explorer is used it will show your local RS> sample images and give a proper alert. RS> *Solution:* RS> No solution RS> *Screenshot: RS> *http://www.xdisclose.com/images/xdiscloselocalie.jpg RS> *Proof Of Concept:* RS> http://www.xdisclose.com/poc/xdiscloselocalie.html RS> *Impact:* RS> A Remote user can get accesses to victims local system files. RS> Scope of impact is limited to system level. RS> *Original Advisory: RS> *http://www.xdisclose.com/XD100099.txt RS> *Credits:* RS> Rajesh Sethumadhavan has been credited with the discovery of this RS> vulnerability RS> *Disclaimer:* RS> This entire document is strictly for educational, testing and RS> demonstrating purpose only. Modification use and/or publishing this RS> information is entirely on your own risk. The exploit code is to be RS> used on your testing environment only. I am not liable for any direct RS> or indirect damages caused as a result of using the information or RS> demonstrations provided in any part of this advisory. RS> Thanks RS> Regards RS> Rajesh Sethumadhavan -- ~/ZARAZA http://securityvulns.com/ Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü. (Òâåí) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft Internet Explorer Local File Accesses Vulnerability 3APA3A (Feb 20)