home *** CD-ROM | disk | FTP | other *** search
- Affected Software : Microsoft Internet Explorer
- Vulnerability : Local File Detection
-
- Tested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date]
- according to windowsupdate.com
-
- Discovered by : Gregory R. Panakkal
-
-
- Overview
- ========
- This security vulnerability in Internet Explorer
- allows remote attackers to discover what software is
- installed on the remote computer, by testing for the
- existence of certain files.
-
- The "sysimage://" protocol is used to display the
- appropriate icon corresponding to a file path when
- viewed from MSIE. The default behaviour is such, that
- if a existing file-path is given as input, it displays
- the approritate icon [as described above], but if the
- file-path supplied doesn't exists, it loads the icon
- of a folder instead [ie, it gives out no error].
-
- But as always, there is a way to bypass it.. and let
- us differentiate between a valid path and an invalid
- one, and thus using the onLoad and onError event
- handlers, the 'local file detection' is a piece of
- cake.
-
- There isn't much of a documentation on the net
- regarding the "sysimage://", atleast google didn't
- show up anything useful :(
-
-
-
- Proof Of Concept
- ================
-
- <img src="sysimage://C:\WINNT\Notepad.exe,666"
- onLoad="document.write('<b>Cannot Find File!</b>');"
- onError="document.write('<b>File Exists!</b>');">
-
-
- Demo
- ====
-
- A demonstration is available at the following URL.
-
- http://crapware.lx.ro/junkcode/security/ie-sp1-sysimage-local-file-existence.htm
-
-
- Greetz to
- =========
- Liu Die Yu, Rakesh Balasunder
-
-
- rgds,
- Gregory R. Panakkal
- (aka JunkCode / Viper)
-
