RE: [Full-Disclosure] Mozilla Security Advisory 2004-07-08

• Previous message: Jason Coombs: "[Full-Disclosure] mozilla.org/security/shell.html"
• In reply to: Perrymon, Josh L.: "RE: [Full-Disclosure] Mozilla Security Advisory 2004-07-08"
• Next in thread: Perrymon, Josh L.: "RE: [Full-Disclosure] Mozilla Security Advisory 2004-07-08"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Perrymon, Josh L.'" <PerrymonJ@bek.com>, <full-disclosure@lists.netsys.com>
Date: Fri, 9 Jul 2004 13:48:15 -0400

Josh,

You asked " What about the problem with IE still? They haven't attempted to
correct the issue or make ANY public announcements. I know they have enough
holes but still."

Remember in my post yesterday when I said I contacted MS about the
situation? Well, here is the complete correspondence. As a background, I
shot this off to MS after I reported the shell vulnerability to Mozilla.
http://bugzilla.mozilla.org/show_bug.cgi?id=250180. In addition to saying
that local files could still be accessed through the internet zone despite
what SP1 for IE6 says.
http://support.microsoft.com/default.aspx?scid=kb;en-us;326489 I also show
that the Outlook: protocol is also accessible from the internet zone. This
means any email, contact, mail box, appointment, etc can be open thru
Outlook:inbox/~someemailsubject in an href or iframe. Haven't played around
with this yet with the exploitability of "Outlook:" yet but certainly plan
on doing so.

Anyway back to the story, I sent approximately the same info to Mozilla and
MS. Mozilla used the information to improve their browser (even though they
hosed Josh and I on any credit for the discovery). But MS had this to say
about it.
 

<Begin Quote>
Hello Keith,

Thank you for your note. While a remote server can get local data to display
in the client browser window by using these protocol handlers, it is not
able to read the data itself.

Thanks,
XXXXXXXXXX (removed for privacy)

-----Original Message-----
From: Keith [mailto:keith@mccanless.us]
Sent: Wednesday 07 July 2004 7:04
To: Microsoft Security Response Center
Subject: Access to local files with IE 6 SP1

While IE 6 SP1 claims to stop all access to local files from web pages in
the internet zone, this can still be accomplished.
 
By adding a link to a page with
"href=shell:windows\\somefileonuserssystem" the web page can access the
local page. This seems to work with all of the shell shortcuts (i.e.
cache, cookies, etc).

More disturbing is the fact that local .htm files can be accessed this way
and used as the source of an iframe. This could easily be evolved to an
exploit that using the local file's zone to launch Active X components.

Also, disturbing is the Outlook: prefix also seems to be vulnerable.
The means that a link to Outlook:inbox could open the inbox on the user's
machine if they had Outlook on the machine. Contacts, calendar, and all
other outlook folders are susceptible to this. If the name of a particular
email subject or contact is known that can be accessed using
Outlook:inbox/~emailsubject. These files and folders should not be
accessible from the internet zone according to all I have read from MS.
Please let me know if this is considered a bug and if it will be fixed.

 
Thanks
Keith McCanless

</end quote>

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Perrymon, Josh
L.
Sent: Friday, July 09, 2004 10:51 AM
To: 'Gary Flynn'; full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Mozilla Security Advisory 2004-07-08

That's what I have been trying to entire time. But for some reason you can't
pass parameters to the file correctly.
Ex- The behavior of code red passing commands to cmd.exe.

But it doesn't seem to like that. However the exploit released on FD
mentioned visiting a shared folder.

What I was thinking was that this exploit would have to be multi layered and
have the ability to pass params. to the exe.

So far I don't see that happening.

My question:

What about the problem with IE still? They haven't attempted to correct the
issue or make ANY public announcements. I know they have enough holes but
still.

I think this problem showcases the great response by the Mozilla team to
correct issues and hopefully will help with the move AWAY from IE and M$.

JP

-----Original Message-----
From: Gary Flynn [mailto:flynngn@jmu.edu]
Sent: Friday, July 09, 2004 8:28 AM
To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Mozilla Security Advisory 2004-07-08

Berend-Jan Wever wrote:
> The advisory mentions that combining this with a BoF can result in remote
code execution, but they totally forget to mention that formatstring
exploits, integeroverflows, XSS, SQL injection, etc... might cause the same
problems too. I bet they just read FD and didn't think for themselves. As
far as I can see, this bug allows an attacker to remotely abuse any
vulnerability a local program might be subject to, thus making any local
exploit a possible remote exploit.

It would seem that one would have to be able to pass
parameters to the file being called for these types of
attacks to be possible.

-- 
Gary Flynn
Security Engineer
James Madison University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Jason Coombs: "[Full-Disclosure] mozilla.org/security/shell.html"
• In reply to: Perrymon, Josh L.: "RE: [Full-Disclosure] Mozilla Security Advisory 2004-07-08"
• Next in thread: Perrymon, Josh L.: "RE: [Full-Disclosure] Mozilla Security Advisory 2004-07-08"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]