Sure -- if you're using the file disclosure vulnerability you came up with, and he uses for the img element in his PoC, but doesn't actually discuss in the writeup directly, I agree.
In the actual writeup, he didn't discuss testing for existance through the onload and onerror events. Unless I'm really misunderstanding something, the writeup just states you can include links to local files in a web page. There's some hand-waving about how it "could be exploited by a malicious remote user to obtain sensitive local files", except he doesn't actually obtain the files! If it did, then it would be a violation of the same-domain policy and a critical vulnerability indeed. As you already pointed out, the only halfway interesting thing about this is the local file disclosure which isn't new, and isn't even described in the writeup! -- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 Howard Yeend wrote: > well, the way I'd seen it working when I stumbled across it was that you > could profile a system for known vulnerable programs, and then connect > back and exploit them. eg: > > client connects to server > server serves blah.html > blah.html launches javascript to detect vulnerable programs > client connects to server telling which vulnerable programs are > installed (connection initiated by JS*) > server connects back to try known exploits against only those programs > that are installed. > > yep: the practical application is limited, it does rely on other vulns, > it's not critical. I'm quite amazed MSIE's still vulnerable though (well...) > > * hey, do you think if I write a paper called "intelligent exploitation > in the web2.0 age" that anyone will publish it? :D > > cheers, > -h. > > On 2/20/07, *Jordan Wiens* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > wrote: > > Umm, so? You can put links to local files in a page. Nothing new > there. If you can somehow access those objects later to disclose local > file contents, violating the same origin policy, well then by gosh > you've got a real vulnerability. > > If you can tell whether they exist (ala Howard's follow-up email via > onload errors -- and similar to the intranet scanning mechanisms RSnake > and Jeremiah Grossman have been working on), great, you've got a minor > file disclosure mechanism that might be useful when combined with other > vulns, but it's still a minor vuln at best, hardly "critical". > > And on the off chance that was just a clever troll, "d'oh. Got me." > > -- > Jordan Wiens, CISSP > UF Network Security Engineer > (352)392-2061 > > > Rajesh Sethumadhavan wrote: > > *Microsoft Internet Explorer Local File Accesses Vulnerability* > > > > ##################################################################### > > > > XDisclose Advisory : XD100099 > > Vulnerability Discovered : February 10th 07 > > Advisory Released : February 20th 07 > > Credit : Rajesh Sethumadhavan > > > > Class : Local File Accesses > > Severity : Critical > > Solution Status : Unpatched > > Vendor : Microsoft Corporation > > Affected applications : Microsoft Internet Explorer > > Affected version : Microsoft Internet Explorer 6 confirmed > > (Other versions may be also > affected) > > Affected Platform : Windows XP Professional SP0,SP1,SP2 > > Windows Home Edition SP0,SP1,SP2 > > Windows 2003 > > > > ##################################################################### > > > > > > *Overview:* > > Microsoft Internet Explorer is a default browser bundled with all > > versions of Microsoft Windows operating system. > > > > *Description: > > *A vulnerability has been identified in Microsoft Internet Explorer, > > (default installation) in windows XP service pack 2 which could be > > exploited by malicious users to obtain victims local files. This > flaw > > is due to an error in the way Microsoft Internet explorer handles > > different html tags. Which could be exploited by a malicious remote > > user to obtain sensitive local files from the victim's computer. > > > > *Vulnerability Insight :* > > Microsoft Windows explorer is not handling various html tags like > "img" > > "script" "embed" "object" "param" "style" "bgsound" "body" "input" > > (Other tags may be also vulnerable). By using the file protocol along > > with above tags it is possible to accesses victims local files. > > > > */a)/* Embed Tag Local file Accesses: > > > --------------------------------------------------------------------- > > <EMBED SRC="file:///C:/test.pdf" HEIGHT=600 WIDTH=1440></EMBED> > > --------------------------------------------------------------------- > > > > */b) /*Object & Param Tag Local File Accesses: > > --------------------------------------------------------------------- > > <object type="audio/x-mid" data=" file:///C:/test.mid" width="200" > > height="20"> > > <param name="src" value="file:///C:/test.mid"> > > <param name="autoStart" value="true"> > > <param name="autoStart" value="0"> > > </object> > > --------------------------------------------------------------------- > > > > */c)/* Body Tag Local File Accesses: > > --------------------------------------------------------------------- > > <body background="file:///C:/test.gif" onload="alert('loading body > > bgrd success')" onerror="alert('loading body bgrd error')"> > > --------------------------------------------------------------------- > > > > */d)/* Style Tag Local File Accesses: > > --------------------------------------------------------------------- > > <STYLE type="text/css">BODY{background:url(" file:///C:/test.gif")} > > </STYLE> > > --------------------------------------------------------------------- > > > > */e)/* Bgsound Tag Local File Accesses: > > --------------------------------------------------------------------- > > <bgsound src="file:///C:/test.mid" id="soundeffect" loop=1 autostart= > > "true"/> > > --------------------------------------------------------------------- > > > > */f)/* Input Tag Local File Accesses: > > --------------------------------------------------------------------- > > <form> > > <input type="image" src=" file:///C:/test.gif" > onload="alert('loading > > input success')" onerror="alert('loading input error')"> > > </form> > > --------------------------------------------------------------------- > > > > */g)/* Image Tag Local File Accesses: > > > --------------------------------------------------------------------- > > <img src="file:///C:/test.jpg" onload="alert('loading image > success')" > > onerror="alert('loading image error')"> > > > --------------------------------------------------------------------- > > > > */h)/* Script Tag Local File Accesses: > > --------------------------------------------------------------------- > > <script src="file:///C:/test.js"></script < > file:///C:/test.js"></script>> > > --------------------------------------------------------------------- > > > > > > *Exploitation method:* > > - Creates a web page or an HTML Mail with the vulnerable code > > - When the victim opens the mail or visit the vulnerable site it is > > possible to accesses his local files. > > > > *Demonstration:* > > Note: Demonstration will try to accesses few default images and wave > > files > > > > - Visit the POC > > - If vulnerable internet explorer is used it will show your local > > sample images and give a proper alert. > > > > *Solution:* > > No solution > > > > *Screenshot: > > *http://www.xdisclose.com/images/xdiscloselocalie.jpg > > > > *Proof Of Concept:* > > http://www.xdisclose.com/poc/xdiscloselocalie.html > > > > *Impact:* > > A Remote user can get accesses to victims local system files. > > > > Scope of impact is limited to system level. > > > > *Original Advisory: > > *http://www.xdisclose.com/XD100099.txt > > > > *Credits:* > > Rajesh Sethumadhavan has been credited with the discovery of this > > vulnerability > > > > *Disclaimer:* > > This entire document is strictly for educational, testing and > > demonstrating purpose only. Modification use and/or publishing this > > information is entirely on your own risk. The exploit code is to be > > used on your testing environment only. I am not liable for any direct > > or indirect damages caused as a result of using the information or > > demonstrations provided in any part of this advisory. > > > > > > > > Thanks > > Regards > > Rajesh Sethumadhavan > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > darklab mailing list > > [email protected] <mailto:[email protected]> > > http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab > <http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab> > _______________________________________________ > darklab mailing list > [email protected] <mailto:[email protected]> > http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab > > > > > -- > This message has been ROT-13 encrypted twice for higher security... > > > ------------------------------------------------------------------------ > > _______________________________________________ > darklab mailing list > [email protected] > http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab _______________________________________________ darklab mailing list [email protected] http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab
