Re: Internet Explorer and Opera local zone restriction bypass

From: Mohsen Hariri (mohsen_hariri_at_yahoo.com)
Date: 10/26/03

  • Next message: Paul Szabo: "Re: Internet Explorer and Opera local zone restriction bypass"
    Date: 26 Oct 2003 04:57:31 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20031024135303.26267.qmail@linuxmail.org>

    It worked for me- IE6 on XP-SP1.

    but it seems to be a Flash Player MX plugin
    bug than IE bug, cause it stores cookies(
    flash documents call it SharedObject) on
    disk, in a fixed location.

    bye

    >Subject: Internet Explorer and Opera local zone restriction bypass
    >
    >Internet Explorer and Opera local zone restriction bypass.
    >=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
    >
    >----------------------
    >Vendor Information:
    >----------------------
    >
    >Homepage : http://www.microsoft.com
    >Vendor : informed
    >Mailed advisory: 23/10/03
    >Vender Response : None yet
    >
    >
    >----------------------
    >Affected Versions:
    >----------------------
    >
    >All version of IE 6
    >Possibly 5.x too
    >
    >
    >----------------------
    >Description:
    >----------------------
    >
    >Microsoft Internet Explorer does not allow local file access by a remote host by default.
    >By creating an iframe which points on a specially crafted cgi script (using the location header
    >to confuse IE), it is possible to cause IE to execute any local file through the iframe with local
    >zone restrictions. This then allows remote arbitrary file execution on the victim without having
    >the victim do a thing except load the page.
    >Opera seems to not only be affected by this vulnerability, but it also allows direct
    >local file access through iframes without any cgi scripts. Unlike IE where it is possible
    >to set activex objects to execute arbitrary files, in Opera it is not. There may be a way,
    >but I am currently not aware of any.
    >
    >
    >----------------------
    >Exploit:
    >----------------------
    >
    >I have created a proof of concept page, but I did not show or explain how the cgi scripts
    >nor the flash file work exactly to prevent kiddie abuse.
    >
    >For IE: http://www.mlsecurity.com/ie/ie.htm
    >
    >For Opera: <iframe name="abc" src="file:///C:/"></iframe>
    >
    >----------------------
    >Solution:
    >----------------------
    >
    >Check Microsoft's website frequently until a new patch comes out.
    >
    >----------------------
    >Contact:
    >----------------------
    >
    >- Mindwarper
    >- mindwarper@linuxmail.org
    >- http://mlsecurity.com
    >
    >--
    >______________________________________________
    >Check out the latest SMS services @ http://www.linuxmail.org
    >This allows you to send and receive SMS through your mailbox.
    >
    >
    >Powered by Outblaze
    >


  • Next message: Paul Szabo: "Re: Internet Explorer and Opera local zone restriction bypass"