<<< Date Index >>>     <<< Thread Index >>>

Re: Internet Explorer and Opera local zone restriction bypass



In-Reply-To: <20031025100233.6289.qmail@xxxxxxxxxxxxx>

try this ...

its dam strange to see WINXP LOGOFF WITHOUT ASKING MY PERMISSION

file://c:\windows\system32\logoff.exe

--------------------

>Received: (qmail 3472 invoked from network); 27 Oct 2003 15:55:23 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 27 Oct 2003 15:55:22 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 492E98F57D; Mon, 27 Oct 2003 02:52:17 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 22041 invoked from network); 25 Oct 2003 03:57:25 -0000
>Message-ID: <20031025100233.6289.qmail@xxxxxxxxxxxxx>
>Content-Type: text/plain; charset="iso-8859-1"
>Content-Disposition: inline
>Content-Transfer-Encoding: 7bit
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.41 (Entity 5.404)
>From: "Mindwarper *" <mindwarper@xxxxxxxxxxxxx>
>To: "Thor Larholm" <thor@xxxxxxxx>
>Cc: bugtraq@xxxxxxxxxxxxxxxxx
>Date: Sat, 25 Oct 2003 18:02:33 +0800
>Subject: RE: Internet Explorer and Opera local zone restriction bypass
>X-Originating-Ip: 213.8.132.107
>X-Originating-Server: ws5-7.us4.outblaze.com
>
>I decided to use the flash cookie just as an example. I could have used for 
>example the Macromedia Director cookie. Another way would be using IE 
>temporary cookies because they allow html tags and most other ascii symbols 
>except for ";" in the cookie name. So all I have to do is create a 
>document.write script which writes the activex. 
>Another way would be using AIM's urlcache cookies which also apppear 
>/Application Data/.
>If Mozilla or Opera are installed it is also possible to use they're data 
>which is stored in the /Application Data/.
>The only problem is that I will still have to know the username of the victim.
>
>- Mindwarper
>
>----- Original Message -----
>From: "Thor Larholm" <thor@xxxxxxxx>
>Date: Fri, 24 Oct 2003 21:54:32 -0700
>To: "Mindwarper *" <mindwarper@xxxxxxxxxxxxx>,<bugtraq@xxxxxxxxxxxxxxxxx>
>Subject: RE: Internet Explorer and Opera local zone restriction bypass
>
>> There was not a lot of details in your post, so I will try to verify and 
>> clarify your findings. First things first, this is not a problem with 
>> Microsofts Internet Explorer, but with Macromedia and their Flash player.
>> 
>> I could reproduce this issue successfully with a fresh install of the latest 
>> Flash player, version 6.0.65.0, on fully patched versions of both IE6SP1 and 
>> Windows XP Pro.
>> 
>> There are two completely new issues at hand here.
>> 
>> The first issue is that Macromedia Flash allows you to store arbitrary 
>> content in a known location, that is %APPDATA%\Macromedia\Flash 
>> Player\YOURDOMAINNAME.TLD\YOURDOMAINNAME.sol. All flash cookies (which is 
>> what you set in your example, not browser cookies) from YOURDOMAINNAME.TLD 
>> are stored in this file.
>> 
>> The issue is caused by Macromedias decision to store the contents of your 
>> Flash cookie in plaintext in this .SOL file. When IE later reads the file 
>> the "magic filetype" feature of Explorer reads the first 256 bytes, finds 
>> HTML content and determines to render the file as HTML since the target 
>> application is the browser, including your scripting.
>> 
>> Being able to store arbitrary content in a known location is vital to any of 
>> the current range of IE exploits.
>> 
>> Flash itself is a binary format, so this complete issue can easily be fixed 
>> by Macromedia by applying the same level of binary formatting to its Flash 
>> cookie contents, to provide slight obfuscation of the contents of Flash 
>> cookies when storing them on disk so Explorer does not misread its datatype.
>> 
>> End-users can protect themselves against this exploit by changing how much 
>> data Flash applications are allowed to store on disk by going to 
>> http://www.macromedia.com/support/flashplayer/help/settings/global_storage.html
>>  and moving the slider all the way down, equivelant to checking the "Never 
>> Ask Again" checkbox on the page. When an updated version of the Flash player 
>> that fixes this is available, it is equally easy to change the setting back.
>> 
>> System administrators can edit the file %APPDATA%\Macromedia\Flash 
>> Player\maromedia.com\support\sys\settings.sol and change the bytes at 
>> positions c7 and c8 to contain BF and F0, respectively (ASCII ¿ and ð), to 
>> restrict data storage for Flash applications as an end-user would above. If 
>> you want to restore the file to default settings (for storing 100KB data) 
>> change the bytes back to 40 and 59, respectively (ASCII @ and Y).
>> 
>> This is also why several people have said they could not reproduce the 
>> issue. They were either not logged in with the Administrator account, which 
>> your POC required, or they did not have the Macromedia Flash player 
>> installed.
>> 
>> A similar issue was found way back with ID3 tags in Winamp and RealPlayer 
>> media files, and has been found on several occasions where a third-party 
>> non-Microsoft application allows you to store arbitrary content in a known 
>> location.
>> 
>> 
>> The second issue is that IE lets you redirect to local files. This was 
>> restricted in IE6 SP1. While going over the source code in your POC, we 
>> discovered that it inadvertently redirects to a local file, despite the 
>> apparent restriction.
>> 
>> When IE encounters a redirect such as the following
>> 
>> Content-Location: file://c:/somefile.html
>> 
>> it will disallow the action and not follow the redirect. However, your POC 
>> has one important alteration, which is the following
>> 
>> Content-Location: file:///c:/somefile.html
>> 
>> Did you notice that slight difference? Adding another slash to the URL 
>> circumvents the initial restriction, and when IE finally decides to load the 
>> URL in another part of its code it removes any excess slashes and properly 
>> loads file://c:/somefile.html
>> 
>> The restriction imposed by IE6 SP1 is imposed on all local protocols, such 
>> as file:// and res://, and this new way to circumvent it equally applies to 
>> all local protocols. This means that you don't have to know the location of 
>> a specific file, but instead can open a ressource file available on all 
>> systems, such as
>> 
>> Content-Location: res:///browselc.dll/mb404.htm
>> 
>> Of course, since you could not inject any code in the ressource file you 
>> will now have to use another cross-domain scripting vulnerability in place 
>> of the Macromedia Flash vulnerability you identified in the first issue. On 
>> the positive side, it also means that you no longer have to guess the users 
>> Windows Logon name.
>> 
>> 
>> In summary, when Macromedia changes their Flash player to no longer store 
>> Flash cookies in plaintext in a known location, this will no longer be an 
>> issue. All of the currently unpatched cross-domain scripting vulnerabilities 
>> are having patches produced, and since they have no easy POC exploits I 
>> doubt we will see any malicious use of the local file redirection variation 
>> you found.
>> 
>> 
>> 
>> Regards
>> Thor Larholm
>> PivX Solutions, LLC - Senior Security Researcher
>> http://pivx.com/larholm/ - Get our research, join our mailinglist
>> 
>> 
>> 
>> -----Original Message-----
>> From: Mindwarper * [mailto:mindwarper@xxxxxxxxxxxxx] 
>> Sent: Friday, October 24, 2003 6:53 AM
>> To: bugtraq@xxxxxxxxxxxxxxxxx
>> Subject: Internet Explorer and Opera local zone restriction bypass
>> 
>> <snip http://www.securityfocus.com/archive/1/342317/2003-10-22/2003-10-28/0>
>
>
>
>-----------------------------|
>- Mindwarper                 |
>- mindwarper@xxxxxxxxxxxxx   |
>- http://mlsecurity.com      |
>-----------------------------|
>
>-- 
>______________________________________________
>Check out the latest SMS services @ http://www.linuxmail.org 
>This allows you to send and receive SMS through your mailbox.
>
>
>Powered by Outblaze
>