Re: Internet Explorer and Opera local zone restriction bypass

From: Mohsen Hariri (mohsen_hariri_at_yahoo.com)
Date: 10/26/03

  • Next message: Paul Szabo: "Re: Internet Explorer and Opera local zone restriction bypass"
    Date: 26 Oct 2003 04:57:31 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20031024135303.26267.qmail@linuxmail.org>

    It worked for me- IE6 on XP-SP1.

    but it seems to be a Flash Player MX plugin
    bug than IE bug, cause it stores cookies(
    flash documents call it SharedObject) on
    disk, in a fixed location.

    bye

    >Subject: Internet Explorer and Opera local zone restriction bypass
    >
    >Internet Explorer and Opera local zone restriction bypass.
    >=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
    >
    >----------------------
    >Vendor Information:
    >----------------------
    >
    >Homepage : http://www.microsoft.com
    >Vendor : informed
    >Mailed advisory: 23/10/03
    >Vender Response : None yet
    >
    >
    >----------------------
    >Affected Versions:
    >----------------------
    >
    >All version of IE 6
    >Possibly 5.x too
    >
    >
    >----------------------
    >Description:
    >----------------------
    >
    >Microsoft Internet Explorer does not allow local file access by a remote host by default.
    >By creating an iframe which points on a specially crafted cgi script (using the location header
    >to confuse IE), it is possible to cause IE to execute any local file through the iframe with local
    >zone restrictions. This then allows remote arbitrary file execution on the victim without having
    >the victim do a thing except load the page.
    >Opera seems to not only be affected by this vulnerability, but it also allows direct
    >local file access through iframes without any cgi scripts. Unlike IE where it is possible
    >to set activex objects to execute arbitrary files, in Opera it is not. There may be a way,
    >but I am currently not aware of any.
    >
    >
    >----------------------
    >Exploit:
    >----------------------
    >
    >I have created a proof of concept page, but I did not show or explain how the cgi scripts
    >nor the flash file work exactly to prevent kiddie abuse.
    >
    >For IE: http://www.mlsecurity.com/ie/ie.htm
    >
    >For Opera: <iframe name="abc" src="file:///C:/"></iframe>
    >
    >----------------------
    >Solution:
    >----------------------
    >
    >Check Microsoft's website frequently until a new patch comes out.
    >
    >----------------------
    >Contact:
    >----------------------
    >
    >- Mindwarper
    >- mindwarper@linuxmail.org
    >- http://mlsecurity.com
    >
    >--
    >______________________________________________
    >Check out the latest SMS services @ http://www.linuxmail.org
    >This allows you to send and receive SMS through your mailbox.
    >
    >
    >Powered by Outblaze
    >


  • Next message: Paul Szabo: "Re: Internet Explorer and Opera local zone restriction bypass"

    Relevant Pages

    • [NT] Internet Explorer and Opera Local Zone Restriction Bypass (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer does not allow local file access by a remote ... Macromedia Flash allows you to store arbitrary content in a known ... Flash cookies when storing them on disk so Explorer does not mis-read its ...
      (Securiteam)
    • Re: [Full-Disclosure] RE: Internet Explorer and Opera local zone restriction bypass
      ... but with Macromedia and their Flash player. ... > The issue is caused by Macromedias decision to store the contents of your ... anyway flash cookies are not plaintext, they are binary files, he just ... doubt we will see any malicious use of the local file redirection variation ...
      (Full-Disclosure)
    • Re: Internet Explorer and Opera local zone restriction bypass
      ... manually pressing refresh in Internet Explorer. ... > Microsoft Internet Explorer does not allow local file access by a remote host by default. ... > to set activex objects to execute arbitrary files, ...
      (Bugtraq)
    • Re: Internet Explorer and Opera local zone restriction bypass
      ... I tried it on 3 pc's and it only worked when pressing refresh, ... Internet Explorer and Opera local zone restriction bypass ... >> Microsoft Internet Explorer does not allow local file access by a remote ... >> to set activex objects to execute arbitrary files, ...
      (Bugtraq)
    • Re: Net::FTP error when local file does not exist
      ... > when the local file does not exist. ... so the error message goes to STDERR via carp as you suspected. ... Not a bug, ...
      (comp.lang.perl.modules)