NI3
11-08-2003, 10:43 AM
TITLE:
Microsoft Internet Explorer Local Zone Access
SECUNIA ADVISORY ID:
SA10157
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, Exposure of sensitive information
WHERE:
From remote
SOFTWARE:
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
DESCRIPTION:
Multiple vulnerabilities have been identified in Internet Explorer
allowing malicious HTML documents such as web sites to access
resources in the Local Zone.
1) Double slash zone transfer
The use of a double slash ":\\" in a CODEBASE resource location can
be used to bypass the security check in Internet Explorer. This can
potentially be exploited to cause Internet Explorer to access local
resources.
2) Userprofile disclosure
It is possible to access files in the current user profile without
knowing the username by substituting it with
"file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}". It is also
possible to see the current user profile with the following
javascript
"alert(window.open("file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}/res::"))".
This can only be exploited if Internet Explorer is operating in Local
Zone.
3) Redirection and Refresh in IFRAME parses local file
It is possible to make Internet Explorer parse a local file by
creating an IFRAME, which has a SRC poiting to a remote source that
redirects to a local resource. Parsing of the local file requires the
IFRAME to be refreshed, which can be done automatically using
scripting.
A proof of concept exploit has been published. This exploit combines
the above vulnerabilities with some older vulnerabilities and a bug
in Flash player to install and execute arbitrary code.
The vulnerabilities have been reported to affect Internet Explorer 5,
5.5, and 6 with all current patches.
SOLUTION:
Deactivate Active Scripting for all sites except trusted sites.
REPORTED BY / CREDITS:
1 & 2) Liu Die Yu
3) Mindwarper
ORIGINAL ADVISORY:
Double slash zone transfer
[Only registered and activated users can see links]
Redirection and Refresh in Iframe parses local file
[Only registered and activated users can see links]
----------------------------------------------------------------------
Microsoft Internet Explorer Local Zone Access
SECUNIA ADVISORY ID:
SA10157
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, Exposure of sensitive information
WHERE:
From remote
SOFTWARE:
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
DESCRIPTION:
Multiple vulnerabilities have been identified in Internet Explorer
allowing malicious HTML documents such as web sites to access
resources in the Local Zone.
1) Double slash zone transfer
The use of a double slash ":\\" in a CODEBASE resource location can
be used to bypass the security check in Internet Explorer. This can
potentially be exploited to cause Internet Explorer to access local
resources.
2) Userprofile disclosure
It is possible to access files in the current user profile without
knowing the username by substituting it with
"file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}". It is also
possible to see the current user profile with the following
javascript
"alert(window.open("file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}/res::"))".
This can only be exploited if Internet Explorer is operating in Local
Zone.
3) Redirection and Refresh in IFRAME parses local file
It is possible to make Internet Explorer parse a local file by
creating an IFRAME, which has a SRC poiting to a remote source that
redirects to a local resource. Parsing of the local file requires the
IFRAME to be refreshed, which can be done automatically using
scripting.
A proof of concept exploit has been published. This exploit combines
the above vulnerabilities with some older vulnerabilities and a bug
in Flash player to install and execute arbitrary code.
The vulnerabilities have been reported to affect Internet Explorer 5,
5.5, and 6 with all current patches.
SOLUTION:
Deactivate Active Scripting for all sites except trusted sites.
REPORTED BY / CREDITS:
1 & 2) Liu Die Yu
3) Mindwarper
ORIGINAL ADVISORY:
Double slash zone transfer
[Only registered and activated users can see links]
Redirection and Refresh in Iframe parses local file
[Only registered and activated users can see links]
----------------------------------------------------------------------