Bugtraq mailing list archives
Re: Internet Explorer and Opera local zone restriction bypass
From: jelmer <jkuperus () planet nl>
Date: Tue, 28 Oct 2003 02:07:32 +0100
I tried it on 3 pc's and it only worked when pressing refresh, something that can be concidered non trivial user interaction I just tried your suggestion under windows XP / IE6 SP1 it doesn't work Cannot find 'ftp://%@/... Make sure the path or Internet address is correct --jelmer ----- Original Message ----- From: "Andreas Sandblad" <sandblad () acc umu se> To: "Mindwarper *" <mindwarper () linuxmail org> Cc: <bugtraq () securityfocus com> Sent: Monday, October 27, 2003 9:32 PM Subject: Re: Internet Explorer and Opera local zone restriction bypass
Hi Mindwarper. It seems you can actually get it to work without pressing refresh and without knowing the username (at least on my fully patched win2000 pro machine). How? Remember the vulnerability "Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vuln." http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html found by Eiji James Yoshida and published on Bugtraq 5 June 2003. It will allow us to link to local files without knowing the username. Basically this will repeat the test I did: - Infect mlsecurity.sol with html code by visiting: http://www.mlsecurity.com/ie/wee.php - Create an iframe dynamically: document.write('<iframe src=location.php><'+'/iframe>'); - Redirect to local file with the following http header: Location: ftp://%@/../../../../Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol No username needed, no refresh. Sincerely, Andreas Sandblad On Fri, 24 Oct 2003, Mindwarper * wrote:Internet Explorer and Opera local zone restriction bypass. =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= ---------------------- Vendor Information: ---------------------- Homepage : http://www.microsoft.com Vendor : informed Mailed advisory: 23/10/03 Vender Response : None yet ---------------------- Affected Versions: ---------------------- All version of IE 6 Possibly 5.x too ---------------------- Description: ---------------------- Microsoft Internet Explorer does not allow local file access by a remote
host by default.
By creating an iframe which points on a specially crafted cgi script
(using the location header
to confuse IE), it is possible to cause IE to execute any local file
through the iframe with local
zone restrictions. This then allows remote arbitrary file execution on
the victim without having
the victim do a thing except load the page. Opera seems to not only be affected by this vulnerability, but it also
allows direct
local file access through iframes without any cgi scripts. Unlike IE
where it is possible
to set activex objects to execute arbitrary files, in Opera it is not.
There may be a way,
but I am currently not aware of any. ---------------------- Exploit: ---------------------- I have created a proof of concept page, but I did not show or explain
how the cgi scripts
nor the flash file work exactly to prevent kiddie abuse. For IE: http://www.mlsecurity.com/ie/ie.htm For Opera: <iframe name="abc" src="file:///C:/"></iframe> ---------------------- Solution: ---------------------- Check Microsoft's website frequently until a new patch comes out. ---------------------- Contact: ---------------------- - Mindwarper - mindwarper () linuxmail org - http://mlsecurity.com-- _ _ o' \,=./ `o (o o) -ooO--(_)--Ooo-
Current thread:
- Internet Explorer and Opera local zone restriction bypass Mindwarper * (Oct 24)
- Re: Internet Explorer and Opera local zone restriction bypass Jort Slobbe (Oct 24)
- Re: Internet Explorer and Opera local zone restriction bypass jelmer (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Andreas Sandblad (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Andreas Sandblad (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass jelmer (Oct 28)
- <Possible follow-ups>
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 27)
- RE: Internet Explorer and Opera local zone restriction bypass Mindwarper * (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Heikki Toivonen (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Mohsen Hariri (Oct 27)
- Re: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 27)
- RE: Internet Explorer and Opera local zone restriction bypass Thor Larholm (Oct 28)
- Re: Internet Explorer and Opera local zone restriction bypass Bipin Gautam hUNT3R (Oct 28)
- Re: Internet Explorer and Opera local zone restriction bypass william schulze (Oct 30)
- RE: Internet Explorer and Opera local zone restriction bypass Francis Favorini (Oct 30)
- Re: Internet Explorer and Opera local zone restriction bypass Paul Szabo (Oct 30)
(Thread continues...)
- Re: Internet Explorer and Opera local zone restriction bypass Jort Slobbe (Oct 24)