Microsoft Internet Explorer FTP Classic View Cross-Domain Scripting I. Synopsis Affected Software: * Microsoft Internet Explorer 5.01 * Microsoft Internet Explorer 5.5 * Microsoft Internet Explorer 6.0 * Prior versions may be vulnerable; they are un-supported and were not tested. Risk: Moderate Impact: Execute code of attacker's choice in security zones of arbitrary sites Vendor: Microsoft Corporation (http://www.microsoft.com/ie) Author: Matthew Murphy (mattmurphyat_private) Status: Reported in January 2003; no response for nearly four months II. Product Description Microsoft's Internet Explorer remains the most popular browser on the Windows platform. IE for Windows supports several protocols with native functionality (FTP, HTTP, Gopher, WebDAV), and several others with extensions and plug-ins for other applications. The browser also supports security features like SSL/TLS, Java permissions, and code signing. III. Vulnerability Details Internet Explorer's FTP implementation offers two "view" settings. The default, "folder view" is a Windows Explorer-like view that represents an FTP directory as a Windows folder. This is similar to the browser's support for WebDAV (Web Folders). The second option, "classic view", offers a style similar to what is seen on competing browsers -- FTP directory are represented by a simple list of links, with a heading describing the directory being viewed. A security vulnerability is present in the "classic" view of Internet Explorer's FTP implementation. This now means that both views are unsafe for most users, as the previous folder view vulnerability (reported by Eiji Yoshida), remains only partially patched as of this advisory. The "classic" view generates a heading tag to describe the content being viewed. For instance, if the user is browsing 'ftp://localhost/', they will see: <H1>FTP root at localhost</H1> as part of the returned HTML listing. Unfortunately, this piece of code is not generated securely. For the purposes of our testing, we'll use "example.com". Now, there are FTP and HTTP servers at example.com, and users can use either of "ftp.example.com" or "www.example.com" (or simply "example.com") to access the same system. This is sometimes implemented (particularly with dynamic DNS providers) as a wildcard "A" record that resolves "*.example.com" to "example.com", which then resolves to the host in question. Using a combination of this functionality and the ability to decode URL sequences in Internet Explorer's hostname functionality, we exploit this as follows: ftp://%3cimg%20src%3d%22%22%20onerror%3d%22alert%28document%2eURL%29%22%3e.e xample.com/ And the following heading is created: <H1>FTP root at <img src="" onerror="alert(document.URL)"></H1> And the onerror event always fires as the current URL references a directory listing. By placing more complex code in the hostname, it may be possible to inject code across domain boundaries (if the attacked site is "Trusted" by the user). This is the only possible feasible compromise scenario. IV. Impact The impact of this vulnerability is relatively minor, as most sites do not allow wildcard lookups to be used, preventing the script code entered from running. However, exploitation requires only one trust relationship to be broken. V. Vendor Response / Workarounds As of today the vendor response on this issue is: ABSOLUTELY NONE. Therefore, I feel I am forced to suggest a simple workaround in the abscence of an acceptable vendor response on this issue. To prevent exploitation of FTP sites, enable the following settings: In the "Tools" menu, the sub-item "Internet Options" will open a window with a several tabs. Under the "Connections" tab are two settings boxes. If you are a dial-up internet user, find your default connection, and click "Settings". Under the "Proxy Server" item, make sure that the box entitled "Use a proxy server for this connection" is checked. Click "Advanced". If you are a user that connects via an LAN or other persistent connection, click "LAN Settings". Make sure that "Use a proxy server for your LAN" is checked. Click the "Advanced" button next to the checkbox. Make sure that the "Use the same proxy server for all protocols" box is unchecked. In the text boxes around "FTP", enter "127.0.0.1", and "0". Port 0 is not a valid connection endpoint, so all FTP communications will now fail. This effectively disables all FTP access, but can be reversed temporarily to access known-good FTP links. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Jun 04 2003 - 11:43:50 PDT