Re: Internet Explorer and Opera local zone restriction bypass

From: jelmer (jkuperus_at_planet.nl)
Date: 10/28/03

  • Next message: Oliver Karow: "Fastream NetFile FTP/WebServer 6.0 CSS Vulnerability"
    Date: Tue, 28 Oct 2003 02:07:32 +0100
    To: Andreas Sandblad <sandblad@acc.umu.se>, Mindwarper * <mindwarper@linuxmail.org>
    
    

    I tried it on 3 pc's and it only worked when pressing refresh,
    something that can be concidered non trivial user interaction

    I just tried your suggestion under windows XP / IE6 SP1
    it doesn't work

    Cannot find 'ftp://%@/... Make sure the path or Internet address is correct

    --jelmer

    ----- Original Message -----
    From: "Andreas Sandblad" <sandblad@acc.umu.se>
    To: "Mindwarper *" <mindwarper@linuxmail.org>
    Cc: <bugtraq@securityfocus.com>
    Sent: Monday, October 27, 2003 9:32 PM
    Subject: Re: Internet Explorer and Opera local zone restriction bypass

    > Hi Mindwarper.
    >
    > It seems you can actually get it to work without pressing refresh and
    > without knowing the username (at least on my fully patched win2000 pro
    > machine).
    >
    > How? Remember the vulnerability
    > "Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vuln."
    > http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html
    > found by Eiji James Yoshida and published on Bugtraq 5 June 2003. It will
    > allow us to link to local files without knowing the username.
    >
    > Basically this will repeat the test I did:
    > - Infect mlsecurity.sol with html code by visiting:
    > http://www.mlsecurity.com/ie/wee.php
    >
    > - Create an iframe dynamically:
    > document.write('<iframe src=location.php><'+'/iframe>');
    >
    > - Redirect to local file with the following http header:
    > Location: ftp://%@/../../../../Application Data/Macromedia/Flash
    > Player/mlsecurity.com/mlsecurity.sol
    >
    > No username needed, no refresh.
    >
    > Sincerely,
    >
    > Andreas Sandblad
    >
    >
    > On Fri, 24 Oct 2003, Mindwarper * wrote:
    >
    > > Internet Explorer and Opera local zone restriction bypass.
    > > =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
    > >
    > > ----------------------
    > > Vendor Information:
    > > ----------------------
    > >
    > > Homepage : http://www.microsoft.com
    > > Vendor : informed
    > > Mailed advisory: 23/10/03
    > > Vender Response : None yet
    > >
    > >
    > > ----------------------
    > > Affected Versions:
    > > ----------------------
    > >
    > > All version of IE 6
    > > Possibly 5.x too
    > >
    > >
    > > ----------------------
    > > Description:
    > > ----------------------
    > >
    > > Microsoft Internet Explorer does not allow local file access by a remote
    host by default.
    > > By creating an iframe which points on a specially crafted cgi script
    (using the location header
    > > to confuse IE), it is possible to cause IE to execute any local file
    through the iframe with local
    > > zone restrictions. This then allows remote arbitrary file execution on
    the victim without having
    > > the victim do a thing except load the page.
    > > Opera seems to not only be affected by this vulnerability, but it also
    allows direct
    > > local file access through iframes without any cgi scripts. Unlike IE
    where it is possible
    > > to set activex objects to execute arbitrary files, in Opera it is not.
    There may be a way,
    > > but I am currently not aware of any.
    > >
    > >
    > > ----------------------
    > > Exploit:
    > > ----------------------
    > >
    > > I have created a proof of concept page, but I did not show or explain
    how the cgi scripts
    > > nor the flash file work exactly to prevent kiddie abuse.
    > >
    > > For IE: http://www.mlsecurity.com/ie/ie.htm
    > >
    > > For Opera: <iframe name="abc" src="file:///C:/"></iframe>
    > >
    > > ----------------------
    > > Solution:
    > > ----------------------
    > >
    > > Check Microsoft's website frequently until a new patch comes out.
    > >
    > > ----------------------
    > > Contact:
    > > ----------------------
    > >
    > > - Mindwarper
    > > - mindwarper@linuxmail.org
    > > - http://mlsecurity.com
    > >
    > >
    >
    > --
    > _ _
    > o' \,=./ `o
    > (o o)
    > -ooO--(_)--Ooo-


  • Next message: Oliver Karow: "Fastream NetFile FTP/WebServer 6.0 CSS Vulnerability"

    Relevant Pages

    • Re: Internet Explorer and Opera local zone restriction bypass
      ... but it seems to be a Flash Player MX plugin ... bug than IE bug, cause it stores cookies( ... >Microsoft Internet Explorer does not allow local file access by a remote host by default. ... >to set activex objects to execute arbitrary files, ...
      (Bugtraq)
    • Re: Internet Explorer and Opera local zone restriction bypass
      ... manually pressing refresh in Internet Explorer. ... > Microsoft Internet Explorer does not allow local file access by a remote host by default. ... > to set activex objects to execute arbitrary files, ...
      (Bugtraq)
    • Re: Need Simple Way To Determine If File Is Executable
      ... Sebastian 'lunar' Wiesner wrote: ... loader's "can I execute this file" check: ... $ chmod a+x ls ... no, I'm showing that a local file marked as executable overrides a shared one, even if the local file isn't actually an executable. ...
      (comp.lang.python)
    • Re: Need Simple Way To Determine If File Is Executable
      ... the loader's "can I execute this file" check: ... even if the local file isn't actually an executable. ... echo "Hello world" ... Freedom is always the freedom of dissenters. ...
      (comp.lang.python)