OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: the Pull (osioniusxyahoo.com)
Date: Fri Jan 04 2002 - 19:19:57 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --- jelmer <jelmerkuperus.xs4all.nl> wrote:
    >
    > More reading of local files in MSIE
    >
    > Description
    >
    >
    > There is a security vulnerability in IE 5.5 and 6
    > (probably other
    > versions as well) which allows reading and sending
    > of local files.
    > The problem lies in the fact that you are able to
    > access a local file's
    > dom by calling the execScript function on a newly
    > created window
    > The sample exploit provided can only read browser
    > readable files

    It might be noted here that this tends to be
    "text/html", and probably the most single vulnerable
    filetype that is of this kind is of ".log" format.
    This means if you can read "c:\file.txt" you can also
    read Apache, IIS, database, Mirc, and whatever other
    type of .log files might be on someone's system except
    for one's locked by a system process.

    ... however, from looking at the source code it
    contains the same usage of document.write() which was
    in the bug I just released.

    Jelmer's:
    " extDoc =
    document.open('file:///C:/jelmer.txt','jelmer','height=200,width=400,status=no,toolbar=no,menubar=no,location=no');"

    mine:
    var y = document.open( "c:/test.txt", "x",
    "width=400,height=400,status = yes, location =
    yes,resizable = yes, toolbar=yes" );

    It doesn't matter if it is "cmd =
    'extDoc.execScript("alert(document.body.innerText)",
    "Jscript");';" that is able to read the code or this:
    setTimeout('alert(y.document.body.innerHTML);y.document.close();',1000);
    -- they are just the same thing.

    (ref: http://www.osioniusx.com document.write()) bug.

    Basically, the problem is that when the
    document.write() uses the window.open() method as
    described on the msdn website for the method here:

    http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/open_1.asp

    The actual exploit code doesn't really matter. I
    understand the misunderstanding because it is just
    simply such a common method.

    >however
    > it is highly likely that reading binary files is
    > possible as well
    > (By attaching an event to the dom that calls the
    > httpxmlcomponent, witch
    > itself at the point of writing is still vulnerable
    > as well)
    > In order for this exploit to work the file name must
    > be known.
    >
    > Risk
    >
    > High
    >
    > Systems affected:
    >
    > The vulnerability has been successfully exploited on
    > IE 6 / Windows XP with all patches installed
    > IE 5.5 / Windows ME
    >
    >
    > Most likely other operating system / internet
    > explorer versions are
    > vulnerable as well I have not tested it though
    >
    > Vendor status:
    >
    > I send Microsoft a cc of my bugtraq post
    >
    > Example:
    >
    > A working example is available at
    > http://www.xs4all.nl/~jkuperus/bug2.htm
    > Workaround:
    >
    > Disable active scripting
    >
    >
    > -- Insert some random nasty remarks about Microsoft
    > at the dotted line
    >
    >
    >
    >

    __________________________________________________
    Do You Yahoo!?
    Send FREE video emails in Yahoo! Mail!
    http://promo.yahoo.com/videomail/