[Full-Disclosure] (Another) Microsoft Internet Explorer FTP Security Hole
From: Matthew Murphy (mattmurphy_at_kc.rr.com)
To: "BugTraq" <email@example.com>, "Full Disclosure" <firstname.lastname@example.org>, "VulnWatch" <email@example.com>, "SecurITeam News" <firstname.lastname@example.org> Date: Wed, 4 Jun 2003 12:32:05 -0500
Microsoft Internet Explorer FTP Classic View Cross-Domain Scripting
* Microsoft Internet Explorer 5.01
* Microsoft Internet Explorer 5.5
* Microsoft Internet Explorer 6.0
* Prior versions may be vulnerable; they are un-supported and were not
Impact: Execute code of attacker's choice in security zones of arbitrary
Vendor: Microsoft Corporation (http://www.microsoft.com/ie)
Author: Matthew Murphy (email@example.com)
Status: Reported in January 2003; no response for nearly four months
II. Product Description
Microsoft's Internet Explorer remains the most popular browser on the
Windows platform. IE for Windows supports several protocols with native
functionality (FTP, HTTP, Gopher, WebDAV), and several others with
extensions and plug-ins for other applications. The browser also supports
security features like SSL/TLS, Java permissions, and code signing.
III. Vulnerability Details
Internet Explorer's FTP implementation offers two "view" settings. The
default, "folder view" is a Windows Explorer-like view that represents an
FTP directory as a Windows folder. This is similar to the browser's support
for WebDAV (Web Folders). The second option, "classic view", offers a style
similar to what is seen on competing browsers -- FTP directory are
represented by a simple list of links, with a heading describing the
directory being viewed.
A security vulnerability is present in the "classic" view of Internet
Explorer's FTP implementation. This now means that both views are unsafe
for most users, as the previous folder view vulnerability (reported by Eiji
Yoshida), remains only partially patched as of this advisory. The "classic"
view generates a heading tag to describe the content being viewed. For
instance, if the user is browsing 'ftp://localhost/', they will see:
<H1>FTP root at localhost</H1>
as part of the returned HTML listing. Unfortunately, this piece of code is
not generated securely. For the purposes of our testing, we'll use
"example.com". Now, there are FTP and HTTP servers at example.com, and
users can use either of "ftp.example.com" or "www.example.com" (or simply
"example.com") to access the same system. This is sometimes implemented
(particularly with dynamic DNS providers) as a wildcard "A" record that
resolves "*.example.com" to "example.com", which then resolves to the host
in question. Using a combination of this functionality and the ability to
decode URL sequences in Internet Explorer's hostname functionality, we
exploit this as follows:
And the following heading is created:
<H1>FTP root at <img src="" onerror="alert(document.URL)"></H1>
And the onerror event always fires as the current URL references a directory
listing. By placing more complex code in the hostname, it may be possible
to inject code across domain boundaries (if the attacked site is "Trusted"
by the user). This is the only possible feasible compromise scenario.
The impact of this vulnerability is relatively minor, as most sites do not
allow wildcard lookups to be used, preventing the script code entered from
running. However, exploitation requires only one trust relationship to be
V. Vendor Response / Workarounds
As of today the vendor response on this issue is: ABSOLUTELY NONE.
Therefore, I feel I am forced to suggest a simple workaround in the abscence
of an acceptable vendor response on this issue. To prevent exploitation of
FTP sites, enable the following settings:
In the "Tools" menu, the sub-item "Internet Options" will open a window with
a several tabs. Under the "Connections" tab are two settings boxes.
If you are a dial-up internet user, find your default connection, and click
"Settings". Under the "Proxy Server" item, make sure that the box entitled
"Use a proxy server for this connection" is checked. Click "Advanced".
If you are a user that connects via an LAN or other persistent connection,
click "LAN Settings". Make sure that "Use a proxy server for your LAN" is
checked. Click the "Advanced" button next to the checkbox.
Make sure that the "Use the same proxy server for all protocols" box is
unchecked. In the text boxes around "FTP", enter "127.0.0.1", and "0".
Port 0 is not a valid connection endpoint, so all FTP communications will
now fail. This effectively disables all FTP access, but can be reversed
temporarily to access known-good FTP links.
Full-Disclosure - We believe in it.