Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webbrowser / IE / ie6-file-detection.txt < prev next >

Wrap

Text File | 2005-02-12 | 2KB | 61 lines

Affected Software : Microsoft Internet Explorer Vulnerability : Local File Detection Tested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date] according to windowsupdate.com Discovered by : Gregory R. Panakkal Overview ======== This security vulnerability in Internet Explorer allows remote attackers to discover what software is installed on the remote computer, by testing for the existence of certain files. The "sysimage://" protocol is used to display the appropriate icon corresponding to a file path when viewed from MSIE. The default behaviour is such, that if a existing file-path is given as input, it displays the approritate icon [as described above], but if the file-path supplied doesn't exists, it loads the icon of a folder instead [ie, it gives out no error]. But as always, there is a way to bypass it.. and let us differentiate between a valid path and an invalid one, and thus using the onLoad and onError event handlers, the 'local file detection' is a piece of cake. There isn't much of a documentation on the net regarding the "sysimage://", atleast google didn't show up anything useful :( Proof Of Concept ================ <img src="sysimage://C:\WINNT\Notepad.exe,666" onLoad="document.write('<b>Cannot Find File!</b>');" onError="document.write('<b>File Exists!</b>');"> Demo ==== A demonstration is available at the following URL. http://crapware.lx.ro/junkcode/security/ie-sp1-sysimage-local-file-existence.htm Greetz to ========= Liu Die Yu, Rakesh Balasunder rgds, Gregory R. Panakkal (aka JunkCode / Viper)