Microsoft Internet Explorer local file reading and detection vulnerability-vulnerability warning-the black bar safety net

2010-08-05T00:00:00
ID MYHACK58:62201027798
Type myhack58
Reporter 佚名
Modified 2010-08-05T00:00:00

Description

Microsoft IE in the handling of local file access when there are some problems, combined with the Microsoft windows characteristics may be able to read the local of certain special files that may have other use.

As the browser is inevitable to deal with cross-domain resource access issues, then the number itself must allow cross-domain tag such as iframe, script, style, and these labels in turn allow the parsing of certain file formats, such as consistent with the javascript syntax file compliant with the css syntax file, once the local existence of these files also contain sensitive data, and allows cross-domain read, Microsoft in access to the local file throws errors that can be used to determine the local whether the file exists, but the use of windows features can bypass this limit, default to allow the c$Oh, and win7+ie8 test by

<script src="\\127.0.0.1\c$\something.js"></script>

Vulnerability to prove: Surf the the early security_id is stored in a fixed location under the file, by script you can reference the file at the same time incorporated some javascript to the context you can get the security_id to remotely perform various operations.

Detecting the vulnerability:

Microsoft ie in the processing of the local file requests when there are some problems that can be used to detect whether local files exist, huhu Detailed description: non-res Protocol Oh!

Vulnerability to prove:

<script> window. onerror=function(){ alert('file exists'); return true; } </script> <script src="file://c:/windows/system32/cmd.exe"></script>