Bugtraq mailing list archives

Re: Internet Explorer and Opera local zone restriction bypass

From: Mohsen Hariri <mohsen_hariri () yahoo com>
Date: 26 Oct 2003 04:57:31 -0000

In-Reply-To: <20031024135303.26267.qmail () linuxmail org>

It worked for me- IE6 on XP-SP1.

but it seems to be a Flash Player MX plugin 
bug than IE bug, cause it stores cookies(
flash documents call it SharedObject) on
disk, in a fixed location.

bye

Subject: Internet Explorer and Opera local zone restriction bypass

Internet Explorer and Opera local zone restriction bypass.
=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=

----------------------
Vendor Information:
---------------------- 

Homepage : http://www.microsoft.com
Vendor : informed
Mailed advisory: 23/10/03
Vender Response : None yet


----------------------
Affected Versions:
----------------------

All version of IE 6
Possibly 5.x too


----------------------
Description:
----------------------

Microsoft Internet Explorer does not allow local file access by a remote host by default.
By creating an iframe which points on a specially crafted cgi script (using the location header 
to confuse IE), it is possible to cause IE to execute any local file through the iframe with local 
zone restrictions. This then allows remote arbitrary file execution on the victim without having
the victim do a thing except load the page.
Opera seems to not only be affected by this vulnerability, but it also allows direct
local file access through iframes without any cgi scripts. Unlike IE where it is possible
to set activex objects to execute arbitrary files, in Opera it is not. There may be a way,
but I am currently not aware of any.


----------------------
Exploit:
----------------------

I have created a proof of concept page, but I did not show or explain how the cgi scripts
nor the flash file work exactly to prevent kiddie abuse.

For IE: http://www.mlsecurity.com/ie/ie.htm

For Opera: <iframe name="abc" src="file:///C:/"></iframe>

----------------------
Solution:
---------------------- 

Check Microsoft's website frequently until a new patch comes out.

----------------------
Contact:
----------------------

- Mindwarper
- mindwarper () linuxmail org
- http://mlsecurity.com

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

Current thread:

Internet Explorer and Opera local zone restriction bypass Mindwarper * (Oct 24)
- Re: Internet Explorer and Opera local zone restriction bypass Jort Slobbe (Oct 24)
  - Re: Internet Explorer and Opera local zone restriction bypass jelmer (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Andreas Sandblad (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Andreas Sandblad (Oct 27)
  - Re: Internet Explorer and Opera local zone restriction bypass jelmer (Oct 28)
- <Possible follow-ups>
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 27)
- RE: Internet Explorer and Opera local zone restriction bypass Mindwarper * (Oct 27)
  - Re: Internet Explorer and Opera local zone restriction bypass Heikki Toivonen (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Mohsen Hariri (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 27)
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 28)
- Re: Internet Explorer and Opera local zone restriction bypass Bipin Gautam hUNT3R (Oct 28)
- Re: Internet Explorer and Opera local zone restriction bypass william schulze (Oct 30)
- RE: Internet Explorer and Opera local zone restriction bypass Francis Favorini (Oct 30)
- Re: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 30)
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 30)
- RE: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 31)