IE6 Vulnerability - Local File Detection

2004-12-08T00:00:00
ID SECURITYVULNS:DOC:7301
Type securityvulns
Reporter Securityvulns
Modified 2004-12-08T00:00:00

Description

Affected Software : Microsoft Internet Explorer Vulnerability : Local File Detection

Tested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date] according to windowsupdate.com

Discovered by : Gregory R. Panakkal

Overview

This security vulnerability in Internet Explorer allows remote attackers to discover what software is installed on the remote computer, by testing for the existence of certain files.

The "sysimage://" protocol is used to display the appropriate icon corresponding to a file path when viewed from MSIE. The default behaviour is such, that if a existing file-path is given as input, it displays the approritate icon [as described above], but if the file-path supplied doesn't exists, it loads the icon of a folder instead [ie, it gives out no error].

But as always, there is a way to bypass it.. and let us differentiate between a valid path and an invalid one, and thus using the onLoad and onError event handlers, the 'local file detection' is a piece of cake.

There isn't much of a documentation on the net regarding the "sysimage://", atleast google didn't show up anything useful :(

Proof Of Concept

<img src="sysimage://C:\WINNT\Notepad.exe,666" onLoad="document.write('<b>Cannot Find File!</b>');" onError="document.write('<b>File Exists!</b>');">

Demo

A demonstration is available at the following URL.

http://crapware.lx.ro/junkcode/security/ie-sp1-sysimage-local-file-existence.htm

Greetz to

Liu Die Yu, Rakesh Balasunder

rgds, Gregory R. Panakkal (aka JunkCode / Viper)


Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony