In the latest explooits section from another http://www.neworder.box.sk
This article is by "hx" and can be viewed here:
http://www.neworder.box.sk/showme.php3?id=5849

IE allows reading of local files by remote webpages
Nov, 26 2001 - 17:55
contributed by: hx
There is a vulnerability in MS Internet Explorer that allows any webpage or HTML email to read arbitrary local files. This bug may also lead to remote command execution. All version of IE seem to be vulnerable. Read more for code.


Summary
-------
There is a vulnerability in MS Internet Explorer that allows
any webpage or HTML email to read arbitrary local files.
This bug may also lead to remote command execution.



Vulnerable versions
-------------------
All versions of IE seem to be affected. The following
configurations have been tested and are vulnerable:

Windows 2000 pro, IE 5.50
Windows 2000 pro SP2, IE 6.0, fully patched
Windows XP pro, IE 6.0

Workaround
----------
Disable ActiveX in Internet Explorer

Exploit details
---------------
The exploit is based on a very vague advisory postet to
vuln-dev@securityfocus.com by NOMEN NESCIO SECURITY ALERT
on 21/11/2001:
http://www.securityfocus.com/archive/82/241482

Marc Fossi suggests that this may be
another way to exploit an old vulnerability discovered by
Georgi Guninski: http://www.securityfocus.com/bid/1718

First we create either a "htmlfile_FullWindowEmbed" or a
"htmlfile" object (both work):

Ok, alert(myObject.outerHTML); gives us the following:

Decoding the Base64 string we get (hex dump):


20693325F903CF11 8FD000AA00686F13 .i3%.........ho.
3C703E266E627370 3B3C2F703E

The first part is a GUID and the second one looks like HTML.
We inject the string
"document.location.href="file://c:test.txt";"
into the object using

(There are probably easier ways to do this but I'm not very familiar
with IE coding).

Now to the the interesting part. After c: est.txt is loaded we can
still access the data parameter of the object using myObject.outerHTML.
This time it contains the Base64 encoded version of c: est.txt among
other things.


So doing a alert(myObject.outerHTML); after the local file is loaded
we get:

with the Base64 string decoding to:

20693325F903CF11 8FD000AA00686F13 .i3%.........ho.
3C21444F43545950 452048544D4C2050 ..
3C48544D4C3E3C48 4541443E0D0A3C4D ....hello.
776F726C643C2F58 4D503E3C2F424F44 world..


where "hello world" is the contents of c: est.txt.


It all boils down to an ordinary DOM circumvention with all the
usual implications.



Proof of concept exploit
------------------------


I have attached a zipped HTML file that reads c: est.txt and
displays it.


regards,
Markus Kern


DOwnload proof of concept code http://archives.neohapsis.com/archiv...WE-exploit.zip