Re: Internet Explorer and Opera local zone restriction bypass

[jelmer <jkuperus () planet nl>]

I tried it on 3 pc's and it only worked when pressing refresh,
something that can be concidered non trivial user interaction

I just tried your suggestion under windows XP / IE6 SP1
it doesn't work

Cannot find 'ftp://%@/... Make sure the path or Internet address is correct

--jelmer



----- Original Message ----- 
From: "Andreas Sandblad" <sandblad () acc umu se>
To: "Mindwarper *" <mindwarper () linuxmail org>
Cc: <bugtraq () securityfocus com>
Sent: Monday, October 27, 2003 9:32 PM
Subject: Re: Internet Explorer and Opera local zone restriction bypass


> Hi Mindwarper.
>
> It seems you can actually get it to work without pressing refresh and
> without knowing the username (at least on my fully patched win2000 pro
> machine).
>
> How? Remember the vulnerability
> "Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vuln."
> http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html
> found by Eiji James Yoshida and published on Bugtraq 5 June 2003. It will
> allow us to link to local files without knowing the username.
>
> Basically this will repeat the test I did:
> - Infect mlsecurity.sol with html code by visiting:
> http://www.mlsecurity.com/ie/wee.php
>
> - Create an iframe dynamically:
> document.write('<iframe src=location.php><'+'/iframe>');
>
> - Redirect to local file with the following http header:
> Location: ftp://%@/../../../../Application Data/Macromedia/Flash
> Player/mlsecurity.com/mlsecurity.sol
>
> No username needed, no refresh.
>
> Sincerely,
>
> Andreas Sandblad
>
>
> On Fri, 24 Oct 2003, Mindwarper * wrote:
>
> > Internet Explorer and Opera local zone restriction bypass.
> > =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
> >
> > ----------------------
> > Vendor Information:
> > ----------------------
> >
> > Homepage : http://www.microsoft.com
> > Vendor : informed
> > Mailed advisory: 23/10/03
> > Vender Response : None yet
> >
> >
> > ----------------------
> > Affected Versions:
> > ----------------------
> >
> > All version of IE 6
> > Possibly 5.x too
> >
> >
> > ----------------------
> > Description:
> > ----------------------
> >
> > Microsoft Internet Explorer does not allow local file access by a remote
host by default.
> > By creating an iframe which points on a specially crafted cgi script
(using the location header
> > to confuse IE), it is possible to cause IE to execute any local file
through the iframe with local
> > zone restrictions. This then allows remote arbitrary file execution on
the victim without having
> > the victim do a thing except load the page.
> > Opera seems to not only be affected by this vulnerability, but it also
allows direct
> > local file access through iframes without any cgi scripts. Unlike IE
where it is possible
> > to set activex objects to execute arbitrary files, in Opera it is not.
There may be a way,
> > but I am currently not aware of any.
> >
> >
> > ----------------------
> > Exploit:
> > ----------------------
> >
> > I have created a proof of concept page, but I did not show or explain
how the cgi scripts
> > nor the flash file work exactly to prevent kiddie abuse.
> >
> > For IE: http://www.mlsecurity.com/ie/ie.htm
> >
> > For Opera: <iframe name="abc" src="file:///C:/"></iframe>
> >
> > ----------------------
> > Solution:
> > ----------------------
> >
> > Check Microsoft's website frequently until a new patch comes out.
> >
> > ----------------------
> > Contact:
> > ----------------------
> >
> > - Mindwarper
> > - mindwarper () linuxmail org
> > - http://mlsecurity.com
>
> -- 
>     _     _
>   o' \,=./ `o
>      (o o)
> -ooO--(_)--Ooo-