Microsoft Internet Explorer Local File Accesses Vulnerability
###########################################################################
XDisclose Advisory : XD100099
Vulnerability Discovered: February 10th 07
Advisory Released : February 20th 07
Credit : Rajesh Sethumadhavan
Class : Local File Accesses
Severity : Critical
Solution Status : Unpatched/Reported to Vendor
Vendor : Microsoft Corporation
Affected applications : Microsoft Internet Explorer
Affected version : Microsoft Internet Explorer 6 confirmed
(Other versions may be also affected)
Affected Platform : Windows XP Professional SP0,SP1,SP2
Windows Home Edition SP0,SP1,SP2
Windows 2003
CVE ID : CVE-2007-3406
Bugtraq ID : 22621
###########################################################################
Overview:
Microsoft Internet Explorer is a default browser bundled with all
versions of Microsoft Windows operating system.
Description:
A vulnerability has been identified in Microsoft Internet Explorer,
(default installation) in windows XP service pack 2 which could be
exploited by malicious users to obtain victims local files. This flaw
is due to an error in the way Microsoft Internet explorer handles
different html tags. Which could be exploited by a malicious remote
user to obtain sensitive local files from the victim's computer.
Vulnerability Insight:
Microsoft Windows explorer is not handling various html tags like "img"
"script" "embed" "object" "param" "style" "bgsound" "body" "input"
(Other tags may be also vulnerable). By using the file protocol along
with above tags it is possible to accesses victims local files.
A) Embed Tag Local file Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
B) Object & Param Tag Local File Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
C) Body Tag Local File Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
E) Style Tag Local File Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
F) Bgsound Tag Local File Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
G) Input Tag Local File Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
H) Image Tag Local File Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
I) Script Tag Local File Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
Exploitation method:
- Creates a web page or an HTML Mail with the vulnerable code
- When the victim opens the mail or visit the vulnerable site it is
possible to accesses his local files.
Demonstration:
Note: Demonstration will try to scan your system for installed
softwares and try to accesses few default images and wave files
- Visit the POC
- If vulnerable internet explorer is used it will scan your hard disk
for installed software and try to load few of your local sample
images and wave files.
Solution:
No solution
Proof Of Concept:
http://www.xdisclose.com/poc/xdiscloselocalie.htmlScreenshot:
http://www.xdisclose.com/images/xdiscloselocalie.jpg
Impact:
A Remote user can get accesses to victims local system files, OS finger
printing is possible, can scan for vulnerable softwares installed in
local system, can cause denial of service by loading a huge local file
into browser.
Scope of impact is limited to system level.
Original Advisory:
http://www.xdisclose.com/advisory/XD100099.html
Credits:
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability
Disclaimer:
This entire document is strictly for educational, testing and
demonstrating purpose only. Modification use and/or publishing this
information is entirely on your own risk. The exploit code is to be
used on your testing environment only. I am not liable for any direct
or indirect damages caused as a result of using the information or
demonstrations provided in any part of this advisory.
---------------------------------------------------------------------
I) Script Tag Local File Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
Exploitation method:
- Creates a web page or an HTML Mail with the vulnerable code
- When the victim opens the mail or visit the vulnerable site it is
possible to accesses his local files.
Demonstration:
Note: Demonstration will try to scan your system for installed
softwares and try to accesses few default images and wave files
- Visit the POC
- If vulnerable internet explorer is used it will scan your hard disk
for installed software and try to load few of your local sample
images and wave files.
Solution:
No solution
Proof Of Concept:
http://www.xdisclose.com/poc/xdiscloselocalie.htmlScreenshot:
http://www.xdisclose.com/images/xdiscloselocalie.jpg
Impact:
A Remote user can get accesses to victims local system files, OS finger
printing is possible, can scan for vulnerable softwares installed in
local system, can cause denial of service by loading a huge local file
into browser.
Scope of impact is limited to system level.
Original Advisory:
http://www.xdisclose.com/advisory/XD100099.html
Credits:
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability
Disclaimer:
This entire document is strictly for educational, testing and
demonstrating purpose only. Modification use and/or publishing this
information is entirely on your own risk. The exploit code is to be
used on your testing environment only. I am not liable for any direct
or indirect damages caused as a result of using the information or
demonstrations provided in any part of this advisory.