Josh, You asked " What about the problem with IE still? They haven't attempted to correct the issue or make ANY public announcements. I know they have enough holes but still."
Remember in my post yesterday when I said I contacted MS about the situation? Well, here is the complete correspondence. As a background, I shot this off to MS after I reported the shell vulnerability to Mozilla. http://bugzilla.mozilla.org/show_bug.cgi?id=250180. In addition to saying that local files could still be accessed through the internet zone despite what SP1 for IE6 says. http://support.microsoft.com/default.aspx?scid=kb;en-us;326489 I also show that the Outlook: protocol is also accessible from the internet zone. This means any email, contact, mail box, appointment, etc can be open thru Outlook:inbox/~someemailsubject in an href or iframe. Haven't played around with this yet with the exploitability of "Outlook:" yet but certainly plan on doing so. Anyway back to the story, I sent approximately the same info to Mozilla and MS. Mozilla used the information to improve their browser (even though they hosed Josh and I on any credit for the discovery). But MS had this to say about it. <Begin Quote> Hello Keith, Thank you for your note. While a remote server can get local data to display in the client browser window by using these protocol handlers, it is not able to read the data itself. Thanks, XXXXXXXXXX (removed for privacy) -----Original Message----- From: Keith [mailto:[EMAIL PROTECTED] Sent: Wednesday 07 July 2004 7:04 To: Microsoft Security Response Center Subject: Access to local files with IE 6 SP1 While IE 6 SP1 claims to stop all access to local files from web pages in the internet zone, this can still be accomplished. By adding a link to a page with "href=shell:windows\\somefileonuserssystem" the web page can access the local page. This seems to work with all of the shell shortcuts (i.e. cache, cookies, etc). More disturbing is the fact that local .htm files can be accessed this way and used as the source of an iframe. This could easily be evolved to an exploit that using the local file's zone to launch Active X components. Also, disturbing is the Outlook: prefix also seems to be vulnerable. The means that a link to Outlook:inbox could open the inbox on the user's machine if they had Outlook on the machine. Contacts, calendar, and all other outlook folders are susceptible to this. If the name of a particular email subject or contact is known that can be accessed using Outlook:inbox/~emailsubject. These files and folders should not be accessible from the internet zone according to all I have read from MS. Please let me know if this is considered a bug and if it will be fixed. Thanks Keith McCanless </end quote> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perrymon, Josh L. Sent: Friday, July 09, 2004 10:51 AM To: 'Gary Flynn'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Mozilla Security Advisory 2004-07-08 That's what I have been trying to entire time. But for some reason you can't pass parameters to the file correctly. Ex- The behavior of code red passing commands to cmd.exe. But it doesn't seem to like that. However the exploit released on FD mentioned visiting a shared folder. What I was thinking was that this exploit would have to be multi layered and have the ability to pass params. to the exe. So far I don't see that happening. My question: What about the problem with IE still? They haven't attempted to correct the issue or make ANY public announcements. I know they have enough holes but still. I think this problem showcases the great response by the Mozilla team to correct issues and hopefully will help with the move AWAY from IE and M$. JP -----Original Message----- From: Gary Flynn [mailto:[EMAIL PROTECTED] Sent: Friday, July 09, 2004 8:28 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Mozilla Security Advisory 2004-07-08 Berend-Jan Wever wrote: > The advisory mentions that combining this with a BoF can result in remote code execution, but they totally forget to mention that formatstring exploits, integeroverflows, XSS, SQL injection, etc... might cause the same problems too. I bet they just read FD and didn't think for themselves. As far as I can see, this bug allows an attacker to remotely abuse any vulnerability a local program might be subject to, thus making any local exploit a possible remote exploit. It would seem that one would have to be able to pass parameters to the file being called for these types of attacks to be possible. -- Gary Flynn Security Engineer James Madison University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html