[Full-Disclosure] (Another) Microsoft Internet Explorer FTP Security Hole

From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: 06/04/03

  • Next message: Shawn McMahon: "Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords"
    To: "BugTraq" <bugtraq@securityfocus.com>, "Full Disclosure" <full-disclosure@lists.netsys.com>, "VulnWatch" <vulnwatch@vulnwatch.org>, "SecurITeam News" <news@securiteam.com>
    Date: Wed, 4 Jun 2003 12:32:05 -0500

    Microsoft Internet Explorer FTP Classic View Cross-Domain Scripting

    I. Synopsis

    Affected Software:
     * Microsoft Internet Explorer 5.01
     * Microsoft Internet Explorer 5.5
     * Microsoft Internet Explorer 6.0

    * Prior versions may be vulnerable; they are un-supported and were not

    Risk: Moderate
    Impact: Execute code of attacker's choice in security zones of arbitrary
    Vendor: Microsoft Corporation (http://www.microsoft.com/ie)
    Author: Matthew Murphy (mattmurphy@kc.rr.com)
    Status: Reported in January 2003; no response for nearly four months

    II. Product Description

    Microsoft's Internet Explorer remains the most popular browser on the
    Windows platform. IE for Windows supports several protocols with native
    functionality (FTP, HTTP, Gopher, WebDAV), and several others with
    extensions and plug-ins for other applications. The browser also supports
    security features like SSL/TLS, Java permissions, and code signing.

    III. Vulnerability Details

    Internet Explorer's FTP implementation offers two "view" settings. The
    default, "folder view" is a Windows Explorer-like view that represents an
    FTP directory as a Windows folder. This is similar to the browser's support
    for WebDAV (Web Folders). The second option, "classic view", offers a style
    similar to what is seen on competing browsers -- FTP directory are
    represented by a simple list of links, with a heading describing the
    directory being viewed.

    A security vulnerability is present in the "classic" view of Internet
    Explorer's FTP implementation. This now means that both views are unsafe
    for most users, as the previous folder view vulnerability (reported by Eiji
    Yoshida), remains only partially patched as of this advisory. The "classic"
    view generates a heading tag to describe the content being viewed. For
    instance, if the user is browsing 'ftp://localhost/', they will see:

    <H1>FTP root at localhost</H1>

    as part of the returned HTML listing. Unfortunately, this piece of code is
    not generated securely. For the purposes of our testing, we'll use
    "example.com". Now, there are FTP and HTTP servers at example.com, and
    users can use either of "ftp.example.com" or "www.example.com" (or simply
    "example.com") to access the same system. This is sometimes implemented
    (particularly with dynamic DNS providers) as a wildcard "A" record that
    resolves "*.example.com" to "example.com", which then resolves to the host
    in question. Using a combination of this functionality and the ability to
    decode URL sequences in Internet Explorer's hostname functionality, we
    exploit this as follows:


    And the following heading is created:

    <H1>FTP root at <img src="" onerror="alert(document.URL)"></H1>

    And the onerror event always fires as the current URL references a directory
    listing. By placing more complex code in the hostname, it may be possible
    to inject code across domain boundaries (if the attacked site is "Trusted"
    by the user). This is the only possible feasible compromise scenario.

    IV. Impact

    The impact of this vulnerability is relatively minor, as most sites do not
    allow wildcard lookups to be used, preventing the script code entered from
    running. However, exploitation requires only one trust relationship to be

    V. Vendor Response / Workarounds

    As of today the vendor response on this issue is: ABSOLUTELY NONE.
    Therefore, I feel I am forced to suggest a simple workaround in the abscence
    of an acceptable vendor response on this issue. To prevent exploitation of
    FTP sites, enable the following settings:

    In the "Tools" menu, the sub-item "Internet Options" will open a window with
    a several tabs. Under the "Connections" tab are two settings boxes.

    If you are a dial-up internet user, find your default connection, and click
    "Settings". Under the "Proxy Server" item, make sure that the box entitled
    "Use a proxy server for this connection" is checked. Click "Advanced".

    If you are a user that connects via an LAN or other persistent connection,
    click "LAN Settings". Make sure that "Use a proxy server for your LAN" is
    checked. Click the "Advanced" button next to the checkbox.

    Make sure that the "Use the same proxy server for all protocols" box is
    unchecked. In the text boxes around "FTP", enter "", and "0".
    Port 0 is not a valid connection endpoint, so all FTP communications will
    now fail. This effectively disables all FTP access, but can be reversed
    temporarily to access known-good FTP links.

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Shawn McMahon: "Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords"