[23711] in bugtraq
Re: More reading of local files in MSIE
daemon@ATHENA.MIT.EDU (the Pull)
Sat Jan 5 20:43:30 2002
Message-ID: <20020105011957.64879.qmail@web12508.mail.yahoo.com>
Date: Fri, 4 Jan 2002 17:19:57 -0800 (PST)
From: the Pull <osioniusx@yahoo.com>
To: jelmer <jelmer@kuperus.xs4all.nl>, bugtraq@securityfocus.com
Cc: Secure@microsoft.com
In-Reply-To: <000001c1955d$def5c370$5801a8c0@pluto>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
--- jelmer <jelmer@kuperus.xs4all.nl> wrote:
>
> More reading of local files in MSIE
>
> Description
>
>
> There is a security vulnerability in IE 5.5 and 6
> (probably other
> versions as well) which allows reading and sending
> of local files.
> The problem lies in the fact that you are able to
> access a local file's
> dom by calling the execScript function on a newly
> created window
> The sample exploit provided can only read browser
> readable files
It might be noted here that this tends to be
"text/html", and probably the most single vulnerable
filetype that is of this kind is of ".log" format.
This means if you can read "c:\file.txt" you can also
read Apache, IIS, database, Mirc, and whatever other
type of .log files might be on someone's system except
for one's locked by a system process.
... however, from looking at the source code it
contains the same usage of document.write() which was
in the bug I just released.
Jelmer's:
" extDoc =
document.open('file:///C:/jelmer.txt','jelmer','height=200,width=400,status=no,toolbar=no,menubar=no,location=no');"
mine:
var y = document.open( "c:/test.txt", "x",
"width=400,height=400,status = yes, location =
yes,resizable = yes, toolbar=yes" );
It doesn't matter if it is "cmd =
'extDoc.execScript("alert(document.body.innerText)",
"Jscript");';" that is able to read the code or this:
setTimeout('alert(y.document.body.innerHTML);y.document.close();',1000);
-- they are just the same thing.
(ref: http://www.osioniusx.com document.write()) bug.
Basically, the problem is that when the
document.write() uses the window.open() method as
described on the msdn website for the method here:
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/open_1.asp
The actual exploit code doesn't really matter. I
understand the misunderstanding because it is just
simply such a common method.
>however
> it is highly likely that reading binary files is
> possible as well
> (By attaching an event to the dom that calls the
> httpxmlcomponent, witch
> itself at the point of writing is still vulnerable
> as well)
> In order for this exploit to work the file name must
> be known.
>
> Risk
>
> High
>
> Systems affected:
>
> The vulnerability has been successfully exploited on
> IE 6 / Windows XP with all patches installed
> IE 5.5 / Windows ME
>
>
> Most likely other operating system / internet
> explorer versions are
> vulnerable as well I have not tested it though
>
> Vendor status:
>
> I send Microsoft a cc of my bugtraq post
>
> Example:
>
> A working example is available at
> http://www.xs4all.nl/~jkuperus/bug2.htm
> Workaround:
>
> Disable active scripting
>
>
> -- Insert some random nasty remarks about Microsoft
> at the dotted line
>
>
>
>
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
