[NT] Accessing Remote and Local Content in IE

From: support@securiteam.com
Date: 08/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 25 Aug 2002 22:22:26 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Accessing Remote and Local Content in IE
------------------------------------------------------------------------

SUMMARY

GreyMagic Software has reported a security vulnerability in Internet
Explorer's data-island of the script tag.
By default the <scr!pt> data-island only allows URLs from the same domain
as the document to be assigned to its "src" attribute. Unfortunately, it
fails to correctly validate its "src" attribute against a redirection,
which potentially allows any web page to do the following:
 * Read XML files from any URL.
 * Read portions of non-XML files from any URL.
 * Read local XML files, in some setups.
 * Read portions of local non-XML files, in some setups.

Any of the exploitations above may expose sensitive and private
information belonging to the user.

The <scr!pt> data-island can be exploited by assigning a URL to the "src"
attribute, which will redirect to a local or remote location. The XML
engine will then process the content of that location.

In case the location does not contain valid XML content, parts of it can
still be read by using XMLDOM's error mechanism. The "srcText" property of
the "parseError" object will contain the line of text that could not be
parsed by the engine. If the content does not contain line breaks at all
then the entire content may be exposed.

DETAILS

Affected version:
All tested versions of Microsoft Internet Explorer (IE5+); prior versions
may be vulnerable as well.

Note that any other application that uses Internet Explorer's engine
(WebBrowser control) is affected as well (Outlook, MSN Explorer, etc.).

Introduction:
Back in 1997, when Internet Explorer 4 was first released, XML was just
starting to become popular. The popularity of XML prompted Microsoft to
devise the early prototype of XML data-islands, using the <scr!pt> element
in conjunction with the "language" attribute set to "XML".

When Internet Explorer 5 was released the <scr!pt> data-island had been
replaced with the more intuitive <xml> data-island. However, even though
the <scr!pt> syntax was now deprecated, Microsoft kept it for the sake of
backwards compatibility.

Exploit:
This example reads the contents of a remote URL, "getFile.asp" redirects
to the desired location, allowing us to read it:

<scr!pt language="xml" src="getFile.asp" id="oFile"></script>
<scr!pt language="jscript">
onload=function () {
var oXD=oFile.XMLDocument,
oPE=oXD.parseError;

alert(
oXD.firstChild || oPE.line>0 ?
"File found!\n"+
"Details:\n\n"+
(oXD.xml || "Line "+oPE.line+" contains '"+oPE.srcText+"'")
:
"File does not exist or could not be retrieved."
);
}
</scr!pt>

Solution:
Microsoft was first informed on 18 Feb 2002, a patch was finally released
on 22 Aug 2002 after a long investigation and testing period.

The patch may be downloaded from:
 <http://www.microsoft.com/technet/security/bulletin/ms02-047.asp>
http://www.microsoft.com/technet/security/bulletin/ms02-047.asp.

Demonstration:
GreyMagic has posted a fully dynamic proof-of-concept demonstration at:
<http://security.greymagic.com/adv/gm009-ie/>
http://security.greymagic.com/adv/gm009-ie/.

ADDITIONAL INFORMATION

The original advisory can be viewed at:
 <http://security.greymagic.com/adv/gm009-ie/>
http://security.greymagic.com/adv/gm009-ie/.

The information has been provided by <mailto:security@greymagic.com>
GreyMagic Software.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages