Core Security Technologies Advisory 2009.0625

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Core Security Technologies - CoreLabs Advisory  
http://www.coresecurity.com/corelabs/  
  
  
Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities  
  
  
1. *Advisory Information*  
  
Title: Internet Explorer Dynamic OBJECT tag and URLMON sniffing  
vulnerabilities  
  
Advisory Id: CORE-2009-0625  
Advisory URL:  
http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag  
Date published: 2010-02-03  
Date of last update: 2010-02-03  
Vendors contacted: Microsoft  
Release mode: User release  
  
2. *Vulnerability Information*  
  
Class: [CWE-497], [CWE-501], [CWE-612]  
Impact: Security bypass  
Remotely Exploitable: Yes  
Locally Exploitable: No  
Bugtraq ID: 38055, 38056  
CVE Name: N/A, CVE-2010-0255  
  
3. *Vulnerability Description*  
  
This advisory describes two vulnerabilities that provide access to any  
file stored in on a user's desktop system if it is running a vulnerable  
version of Internet Explorer. These vulnerabilities can be used in  
attacks combined with a number of insecure features of Internet Explorer  
to provide remote access to locally stored files without the need for  
any further action from the victim after visting a website controlled by  
the attacker. The vulnerabilities are simple variations of bugs  
disclosed previously in CoreLabs Security Advisories CORE-2008-0103 [1]  
and CORE-2008-0826 [2]. Exploitation of these vulnerabilities requires  
enticing users to click on URLs otherwise visit a malicious website  
controlled by the attacker but no further user interaction is needed. As  
a result an attacker would gain the ability to read any file stored on  
the user's desktop system but will not be able to fully compromise it to  
execute arbitrary code without restrictions.  
  
4. *Vulnerable packages*  
  
. Internet Explorer 5.01 SP4 on Windows 2000 sp4  
. Internet Explorer 6sp1 on Windows 2000 sp4  
. Internet Explorer 6sp2 on Windows XP sp2  
. Internet Explorer 6sp2 on Windows XP sp3  
. Internet Explorer 7 on Windows XP sp2  
. Internet Explorer 7 on Windows XP sp3  
. Internet Explorer 7 on Windows Vista sp1  
. Internet Explorer 7 on Windows Vista sp2  
. Internet Explorer 7 on Windows Server 2003 sp2 if  
Protected Mode is OFF and not using Enhanced Security Configuration  
. Internet Explorer 7 on Windows Server 2008 i  
if Protected Mode is OFF and  
not using Enhanced Security Configuration  
. Internet Explorer 8 on Windows XP sp2  
. Internet Explorer 8 on Windows XP sp3  
. Internet Explorer 8 on Windows Vista sp1  
if Protected Mode if OFF  
. Internet Explorer 8 on Windows Vista sp2  
if Protected Mode is OFF  
. Internet Explorer 8 on Windows 7 if Protected Mode if OFF  
. Internet Explorer 8 on Windows Server 2003 sp2  
if Protected Mode if OFF and  
not using Enhanced Security Configuration  
. Internet Explorer 8 on Windows Server 2008 R2  
if Protected Mode is OFF and  
not using Enhanced Security Configuration  
  
5. *Non-vulnerable packages*  
  
. Internet Explorer 7 on Windows Vista/Windows Server 2003/Windows 7  
if Protected Mode is ON  
. Internet Explorer 8 on Windows Vista/Windows Server 2003  
if Protected Mode is ON  
. Internet Explorer 8 on Windows Server 2003  
if Protected Mode is ON  
. Internet Explorer 8 on Windows 7/Windows Server 2008 R2  
if Protected Mode is ON  
  
6. *Vendor Information, Solutions and Workarounds*  
  
The vendor has guidance on how to address these vulnerabilities in  
Microsoft Security Advisory (980088):  
http://www.microsoft.com/technet/security/advisory/980088.mspx  
  
To prevent exploitation of these vulnerabilities the following  
mitigations are possible:  
  
. Run Internet Explorer with Protected Mode [3] turned ON if it is  
supported by the operating system. This is default setting for the  
Internet security zone on Windows Vista, Windows 7 and Windows Server  
2008. Note that there may be specific scenarios where protected mode may  
need to be turned off [4]  
. Use Internet Explorer's Network Protocol Lockdown feature control  
to restrict the 'file:' protocol to prevent HTML content from UNC paths  
from running scripting or ActiveX controls. Note that Network Protocol  
Lockdown may affect the functionality of Web applications that rely on  
relaxed security configurations of IE.  
. Set the Security Level setting to High for the Internet and Local  
Intranet security zones to prevent IE from running scripts or ActiveX  
controls.  
. Disable Active Scripting for the Internet and Local Intranet zones  
manually with a custom security setting.  
. Use a different web browser to navigate untrusted web sites.  
  
Additionally, disabling file sharing if it is not necessary and  
filtering outbound SMB connections at the endpoint or network perimeter  
are good security measures to prevent disclosure of sensitive  
information such as valid user, system and domain names that could be  
used to perform attacks that abuse the vulnerabilities described in this  
advisory.  
  
7. *Credits*  
  
These vulnerabilities were discovered and researched by Jorge Luis  
Alvarez Medina and Federico Muttis from Core Security Technologies.  
  
8. *Technical Description / Proof of Concept Code*  
  
The bugs in this advisory as well as a number of specific methods to  
combine them with insecure Internet Explorer features are discussed in  
the paper "Abusing Insecure Features of Internet Explorer"[5].  
Exploitation of these vulnerabilities as well as others disclosed  
previously was explained in a presentation at the BlackHat DC 2010  
technical security conference [6]  
  
8.1. *URLMON sniffing vulnerability*  
  
In CoreLabs Security Advisory CORE-2008-0826 [2] a vulnerability that  
allowed attackers to gain access to any file on the local filesystem of  
a computer running vulnerable versions of Internet Explorer was  
disclosed. During the vulnerability reporting process Core provided  
Proof-of-Concept code to the vendor that successfully exploited the bug  
on Internet Explorer 8 which at the time was deemed not vulnerable by  
Microsoft because the bug had been patched prior to RTM. Upon further  
investigation, the vendor determined that the proof-of-concept provided  
by Core was actually exploiting a different bug than the one originally  
reported and therefore it should be considered a separate security  
issue. The URLMON sniffing vulnerability refers to the variant  
discovered in the CORE-2008-0826 time line. When loading a local file  
Internet Explorer's HTML rendering engine [7] will only check its MIME  
type to see if it is a positive match on the files it can handle. For  
unknown types that are treated as HTML because they've been referred to  
by a redirection, content type determination will default to 'text/html'  
in absence of a type explicitly set by the content source. In the case  
of non-html files for which there isn't an explicit content-type set,  
URLMON will default to the 'text/html' type as suggested from the  
redirection. As a result Internet Explorer will end up loading non-html  
local files and rendering them as HTML and running any scripting code  
included in the file in the context of the Security Zone assigned to the  
content's source.  
  
8.2. *Dynamic OBJECT tag vulnerability*  
  
Microsoft's June 2009 Cumulative Security Update for Internet Explorer  
[8] included a patch to fix the bug reported in CORE-2008-0826. The fix  
was implemented as a modification to the MIME-type detection method when  
loading content specified in an 'OBJECT' tag. Thus, the contents of the  
index.dat file will not be rendered and shown to an Internet Explorer  
user if it is directly referenced from a webpage with the following HTML  
code:  
  
/-----  
<object data="file://127.0.0.1/C$/.../index.dat"  
type="text/html"  
width="100%" height="50"  
</object>  
  
- -----/  
However the contents of the same file will be loaded and rendered if  
the following HTML code is used:  
  
/-----  
<script language="Javascript">  
var obj = document.createElement("object");  
obj.data = "file://127.0.0.1/C$/.../index.dat";  
obj.type = "text/html";  
obj.id = "obj_results";  
obj.width = "500px";  
obj.height = "300px";  
document.body.appendChild(obj);  
</script>  
  
- -----/  
  
9. *Report Timeline*  
  
. 2009-04-17:  
Core Security Technologies sends proof-of-concept code for the URLMON  
sniffing vulnerability in IE8 to Microsoft. The code is deemed as an  
exploit variant for Internet Explorer bug that has already been patched  
in IE 8 but its part of an ongoing report for other IE versions.  
  
. 2009-06-01:  
Microsoft says that the PoC corresponds to a separate bug than the one  
reported in CORE-2008-0826. On a conference call Core Security  
Technologies indicates that it considers the bug just a variant of the  
previously reported one. Microsoft replies that although both cases  
appear to expose the same functionality the actions are actually  
controlled by different code and that the differences are significant  
enough to consider this a separate issue. Microsoft will further  
investigate and address it in a separate case.  
  
. 2009-06-10:  
Cumulative Security Update for Internet Explorer (MS09-019) is published  
  
. 2009-08-12:  
Core Security Technologies notified Microsoft of the dynamic OBJECT tag  
vulnerability. Draft advisory sent with publication date scheduled for  
September 8, 2009.  
  
. 2009-08-12:  
Microsoft's MSRC acknowledged the bug report and opened a new case.  
  
. 2009-08-31:  
Core asks for an update and reminds MSRC that September 8 2009 is the  
planned public disclosure date.  
  
. 2009-08-31:  
Microsoft replies agreeing that the reported bug is a variant of one  
previously reported by Core that was fixed in June 2009. Microsof  
indicates that all the solutions attempted so far did not prove  
effective and that it currently does not have an update to track towards  
a fix time. Asks if Core is still on track to disclose it in September  
2009.  
  
. 2009-09-03:  
Core tells Microsoft that it moved the publication date to October 13  
2009 and asks for the complete list of vulnerable platforms. Given that  
no security fixes for Internet Explorer are planned for September and  
that the reported bugs are simple variants of others that have been  
fixed before Core feels confident that the new release date should be  
appropriate to solve these issues.  
  
. 2009-09-04:  
Microsoft thanks Core for postponing publication and says that it is  
still discussing the fix plan and release date with the IE team and that  
it will get back to Core in a week with the list of vulnerable platforms  
and estimated patch release date.  
  
. 2009-10-09:  
Received a summary from Microsoft with an update on all open cases with  
Core. Internet Explorer cases appear listed as "working with product  
team to determine fix and release date. Earliest potential ship date for  
a fix is February 2010".  
  
. 2009-10-23:  
Core sends email to MSRC indicating that publication of the advisory has  
been re-scheduled to November 10 2009 and it is open to delaying it  
further up to the second Tuesday of December 2009 if MSRC is willing to  
provide: a)detailed technical explanations of the bugs, b)the full list  
of vulnerable platforms and c)a firm commitment to a release date for  
the fixes. Core also says that if Microsoft can not target the next IE  
patch release cycle, Core would rather publish the advisory to let other  
parties address the risk with alternative fixes or mitigations. The  
advisory will include the dynamic object tag bug as well as the URLMON  
sniffing vulnerability from the previous vulnerability report that is  
pending a fix.  
  
. 2009-11-02:  
Update from MSRC saying that it is collecting information and will send  
a response by Friday Nov. 6.  
  
. 2009-11-06:  
Core requests a status update  
  
. 2009-11-06:  
MSRC indicates that it will provide an update on Monday Nov. 9  
  
. 2009-11-09:  
MSRC sends a status update with detailed descriptions about both bugs,  
the list of vulnerable platforms and says that it is still working on a  
tentative fix plan for one of the vulnerabilities. In the case of the  
other bug, Microsoft is targeting February 2009 to release the fix given  
that releasing updates in November and December may impact customers due  
to the typical high e-commerce in those months.  
  
. 2009-12-12:  
Core sends email to MSRC saying that advisory publication was now  
re-scheduled to February 9th, 2010 and asks if Microsoft is on track to  
release the fixes according to what was stated in previous  
communications. Core notes that Jorge Luis Alvarez Medina has just  
received confirmation from the BlackHat Technical Security conference  
that his submission for a talk discussing these bugs was accepted. His  
presentation is scheduled for the first week of February and the  
advisory publication was re-scheduled to a week after on February 9th  
assuming that Microsoft will issue patches on the same date.  
  
. 2010-01-06:  
Received a summary from Microsoft with an update on all open cases with  
Core.  
  
. 2010-01-06:  
Core reminds MSRC that the advisory disclosing two IE bugs pending  
resolution will be published on Feb. 9 2010 as noted in an email on  
December 12 2009.  
  
. 2010-01-22:  
Microsoft releases a Cumulative Security Update for Internet Explorer  
ahead of the regular patch release cycle. The update fixes several bugs  
but does not include fixes for the two IE cases tracked in this  
advisory. Core asks MSRC if Microsoft is planning to release another  
security update for IE during February and indicates that if no further  
updates are planned Core will publish this advisory simultaneously with  
the discoverer's presentation at the BlackHat security conference.  
  
. 2010-01-22:  
Email from MSRC requesting a conference call to talk about the  
presentation at the BlackHat DC conference in February  
  
. 2010-01-25:  
On a conference call with Core's Security Advisories team, MSRC  
indicates that fixes for the bugs will be released at some date in the  
future. Core reminds MSRC that the corresponding security advisory will  
be published on Feb. 3 on the same date that Jorge Luis Alvarez Medina  
will disclose details about the bugs and attack vectors at the BlackHat  
conference. MSRC requests a preview of the presentation slides. Core  
requests a preview of Microsoft's communications guidelines regarding  
Core's upcoming advisory and presentation.  
  
. 2010-02-02:  
BlackHat presentation slides sent to MSRC  
  
. 2010-02-02:  
Final draft of the advisory sent to Microsoft. Vulnerability identifiers  
requested from Mitre and SecurityFocus.com  
  
. 2010-02-03:  
CoreLabs Security Advisory CORE-2009-0625 published  
  
  
  
10. *References*  
  
[1] CoreLabs Security Advisory CORE-2008-0103 Internet Explorer Zone  
Elevation restrictions bypass and Security Zone restrictions bypass.  
http://www.coresecurity.com/content/internet-explorer-zone-elevation  
  
[2] CoreLabs Security Advisory CORE-2008-0826 Internet Explorer Security  
Zone restrictions bypass.  
http://www.coresecurity.com/content/ie-security-zone-bypass  
  
[3] Understanding and Workiing in Protected Mode Internet Explorer.  
http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx  
  
[4] Protected Mode for IE7 in Windows Vista - Is it On or Off?  
http://blogs.msdn.com/ie/archive/2007/04/04/protected-mode-for-ie7-in-windows-vista-is-it-on-or-off.aspx  
  
[5] Jorge Luis Alvarez Medina, Abusing Insecure Feature of Internet  
Explorer, Feb. 2010  
http://corelabs.coresecurity.com/index.php?module=wiki%38action=attachment%38type=publication%38page=Abusing_insecure_features_of_Internet_Explorer-article.pdf  
  
[6] Jorge Luis Alvarez Medina, Internet Explorer turns your personal  
computer into a public File Server, BlackHat Technical Security  
conference, Feb. 2010, Washington D.C., USA.  
http://corelabs.coresecurity.com/index.php?module=wiki%38action=attachment%38type=publication%38page=Abusing_insecure_features_of_Internet_Explorer-BHDC2010-Slides.pdf  
  
[7] Wikipedia, Trident (layout engine).  
http://en.wikipedia.org/wiki/Trident_(layout_engine)  
  
[8] Microsoft Security Bulletin MS09-019, Cumulative Security Update for  
Internet Explorer, June 10 2009.  
http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx  
  
  
11. *About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is charged  
with anticipating the future needs and requirements for information  
security technologies. We conduct our research in several important  
areas of computer security including system vulnerabilities, cyber  
attack planning and simulation, source code auditing, and cryptography.  
Our results include problem formalization, identification of  
vulnerabilities, novel solutions and prototypes for new technologies.  
CoreLabs regularly publishes security advisories, technical papers,  
project information and shared software tools for public use at:  
http://www.coresecurity.com/corelabs.  
  
  
12. *About Core Security Technologies*  
  
Core Security Technologies develops strategic solutions that help  
security-conscious organizations worldwide develop and maintain a  
proactive process for securing their networks. The company's flagship  
product, CORE IMPACT, is the most comprehensive product for performing  
enterprise security assurance testing. CORE IMPACT evaluates network,  
endpoint and end-user vulnerabilities and identifies what resources are  
exposed. It enables organizations to determine if current security  
investments are detecting and preventing attacks. Core Security  
Technologies augments its leading technology solution with world-class  
security consulting services, including penetration testing and software  
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core  
Security Technologies can be reached at 617-399-6980 or on the Web at  
http://www.coresecurity.com.  
  
13. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2009 Core Security  
Technologies and (c) 2009 CoreLabs, and may be distributed freely  
provided that no fee is charged for this distribution and proper credit  
is given.  
  
14. *PGP/GPG Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
  
iEYEARECAAYFAktp5bUACgkQyNibggitWa3degCeJSaUBVntxPm2NbmNXyye1Ypw  
yAQAoJj6ZRUpwIDQCKmPaS8wQ9l1clua  
=SKgB  
-----END PGP SIGNATURE-----  
`