Microsoft Internet Explorer 5.5 Index.dat Vulnerability
BID:1978
Info
Microsoft Internet Explorer 5.5 Index.dat Vulnerability
| Bugtraq ID: | 1978 |
| Class: | Origin Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 23 2000 12:00AM |
| Updated: | Nov 23 2000 12:00AM |
| Credit: | Posted to Bugtraq on November 23, 2000 by Georgi Guninski <[email protected]>. |
| Vulnerable: |
Microsoft Internet Explorer 5.5 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer 5.5 Index.dat Vulnerability
IE 5.5 (and possibly other versions) stores recently visited URLs and cache folder names in a local file called index.dat. This file is kept in the following known locations:
Windows 9x:
C:/WINDOWS/Temporary Internet Files/Content.IE5/
Windows 2000:
C:/Documents and Settings/USERNAME/Local Settings/Temporary Internet Files/Content.IE5/
This file will register as local content in IE's security mechanism, but arbitrary code can be written to it by including scripting commands in a URL. Therefore, although the code may not execute when the URL itself it visited, it will be trusted in the local index.dat file. To execute code in that file, it must be parsed by IE. Microsoft has released a security bulletin about parsing non-html files (see Microsoft Security Bulletin MS00-055 in the credit section), however it is still possible to force IE to render non-html files via an object tag defining the TYPE as text/html and specifying the file in the DATA field.
Therefore, remote code can be injected into a trusted file and successfully executed. This vulnerability can be used for many purposes, including determining the names of the cache folders. With that information, an attacker could cause the target to execute files previously downloaded by the victim.
IE 5.5 (and possibly other versions) stores recently visited URLs and cache folder names in a local file called index.dat. This file is kept in the following known locations:
Windows 9x:
C:/WINDOWS/Temporary Internet Files/Content.IE5/
Windows 2000:
C:/Documents and Settings/USERNAME/Local Settings/Temporary Internet Files/Content.IE5/
This file will register as local content in IE's security mechanism, but arbitrary code can be written to it by including scripting commands in a URL. Therefore, although the code may not execute when the URL itself it visited, it will be trusted in the local index.dat file. To execute code in that file, it must be parsed by IE. Microsoft has released a security bulletin about parsing non-html files (see Microsoft Security Bulletin MS00-055 in the credit section), however it is still possible to force IE to render non-html files via an object tag defining the TYPE as text/html and specifying the file in the DATA field.
Therefore, remote code can be injected into a trusted file and successfully executed. This vulnerability can be used for many purposes, including determining the names of the cache folders. With that information, an attacker could cause the target to execute files previously downloaded by the victim.
Exploit / POC
Microsoft Internet Explorer 5.5 Index.dat Vulnerability
Georgi Guninski provided the following demonstration page with his advisory:
http://www.guninski.com/parsedat.html
In it's current form, it will only work for Win9x clients. The source code is available in the bugtraq message.
Georgi Guninski provided the following demonstration page with his advisory:
http://www.guninski.com/parsedat.html
In it's current form, it will only work for Win9x clients. The source code is available in the bugtraq message.