Reading portions of local files in IE, depending on structure (GM#004-IE)

["GreyMagic Software" <security () greymagic com>]

GreyMagic Security Advisory GM#004-IE
=====================================

By GreyMagic Software, Israel.
02 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm004-ie/.

Topic: Reading portions of local files, depending on structure.

Discovery date: 18 Feb 2002.

Affected applications:
======================

All tested versions of Microsoft Internet Explorer (IE5+).


Introduction:
=============

Cascading Style Sheets (CSS) are a way to control how HTML elements look, it
enables developers to separate content (HTML) from style.

CSS can be embedded in a number of ways, one of them is to use an external
file and link it to a document; this is done by utilizing the <link> element
or the seldom used @import CSS rule.


Discussion:
===========

Using the cssText property of the styleSheet object it is possible to read
portions (and sometimes whole) files, from local or remote locations.

Almost any file that contains a curly-bracket ("{") character will be parsed
by IE's CSS engine, it is then possible to read parts of the content using
the cssText property.

The problem is that invalid CSS attributes are kept within the cssText
property even though they have no functional use, allowing malicious
programmers access to that content.

The problem is very apparent in C-style code files (Java, Perl, C#, etc.)
and in configurations for many services (such as DNS, for example).

[1] CSS: http://www.w3.org/TR/REC-CSS2/.
[2] <link> element:
http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/link.asp.
[3] @import rule:
http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/import.
asp.
[4] cssText property:
http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/csstext
.asp.
[5] styleSheet object:
http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/obj_styles
heet.asp.


Exploit:
========

This example attempts to read content from "c:/test.txt".

<link id="oFile" rel="stylesheet" href="file://c:/test.txt" disabled>
<script language="jscript">
onload=function () {
    alert(document.styleSheets.oFile.cssText || "Could not extract any text
from file.");
}
</script>


Solution:
=========

Microsoft was first informed on 18 Feb 2002 (44 days ago), they have opened
an investigation regarding this issue and will probably release a patch in
the near future.

Until a patch becomes available the only workaround is to disable Active
Scripting.


Tested on:
==========

IE5sp2 NT4 sp6a, all patches.
IE5.5sp2 Win98, all patches.
IE5.5sp2 NT4 sp6a, all patches.
IE6sp1 Win2000 sp2, all patches.
IE6sp1 WinXP, all patches.

Demonstration:
==============

A fully dynamic proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/adv/gm004-ie/.


Feedback:
=========

Please mail any questions or comments to security () greymagic com.

- Copyright © 2002 GreyMagic Software.