ie6-file-detection.txt

2004-12-09T00:00:00
ID PACKETSTORM:35128
Type packetstorm
Reporter Gregory R. Panakkal
Modified 2004-12-09T00:00:00

Description

                                        
                                            `Affected Software : Microsoft Internet Explorer  
Vulnerability : Local File Detection  
  
Tested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date]  
according to windowsupdate.com  
  
Discovered by : Gregory R. Panakkal  
  
  
Overview  
========  
This security vulnerability in Internet Explorer  
allows remote attackers to discover what software is  
installed on the remote computer, by testing for the  
existence of certain files.   
  
The "sysimage://" protocol is used to display the  
appropriate icon corresponding to a file path when  
viewed from MSIE. The default behaviour is such, that  
if a existing file-path is given as input, it displays  
the approritate icon [as described above], but if the  
file-path supplied doesn't exists, it loads the icon  
of a folder instead [ie, it gives out no error].  
  
But as always, there is a way to bypass it.. and let  
us differentiate between a valid path and an invalid  
one, and thus using the onLoad and onError event  
handlers, the 'local file detection' is a piece of  
cake.  
  
There isn't much of a documentation on the net  
regarding the "sysimage://", atleast google didn't  
show up anything useful :(  
  
  
  
Proof Of Concept  
================  
  
<img src="sysimage://C:\WINNT\Notepad.exe,666"  
onLoad="document.write('<b>Cannot Find File!</b>');"  
onError="document.write('<b>File Exists!</b>');">  
  
  
Demo  
====  
  
A demonstration is available at the following URL.  
  
http://crapware.lx.ro/junkcode/security/ie-sp1-sysimage-local-file-existence.htm  
  
  
Greetz to  
=========  
Liu Die Yu, Rakesh Balasunder  
  
  
rgds,  
Gregory R. Panakkal   
(aka JunkCode / Viper)  
`