Type packetstorm
Reporter Gregory R. Panakkal
Modified 2004-12-09T00:00:00


                                            `Affected Software : Microsoft Internet Explorer  
Vulnerability : Local File Detection  
Tested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date]  
according to  
Discovered by : Gregory R. Panakkal  
This security vulnerability in Internet Explorer  
allows remote attackers to discover what software is  
installed on the remote computer, by testing for the  
existence of certain files.   
The "sysimage://" protocol is used to display the  
appropriate icon corresponding to a file path when  
viewed from MSIE. The default behaviour is such, that  
if a existing file-path is given as input, it displays  
the approritate icon [as described above], but if the  
file-path supplied doesn't exists, it loads the icon  
of a folder instead [ie, it gives out no error].  
But as always, there is a way to bypass it.. and let  
us differentiate between a valid path and an invalid  
one, and thus using the onLoad and onError event  
handlers, the 'local file detection' is a piece of  
There isn't much of a documentation on the net  
regarding the "sysimage://", atleast google didn't  
show up anything useful :(  
Proof Of Concept  
<img src="sysimage://C:\WINNT\Notepad.exe,666"  
onLoad="document.write('<b>Cannot Find File!</b>');"  
onError="document.write('<b>File Exists!</b>');">  
A demonstration is available at the following URL.  
Greetz to  
Liu Die Yu, Rakesh Balasunder  
Gregory R. Panakkal   
(aka JunkCode / Viper)