Bugtraqmailing list archives
IE6 Vulnerability - Local File Detection
From: ViPeR <viper31337 () yahoo co in>
Date: Tue, 7 Dec 2004 12:19:35 +0000 (GMT)
Affected Software : Microsoft Internet ExplorerVulnerability : Local File DetectionTested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date]according to windowsupdate.comDiscovered by : Gregory R. PanakkalOverview========This security vulnerability in Internet Explorerallows remote attackers to discover what software isinstalled on the remote computer, by testing for theexistence of certain files. The "sysimage://" protocol is used to display theappropriate icon corresponding to a file path whenviewed from MSIE. The default behaviour is such, thatif a existing file-path is given as input, it displaysthe approritate icon [as described above], but if thefile-path supplied doesn't exists, it loads the iconof a folder instead [ie, it gives out no error].But as always, there is a way to bypass it.. and letus differentiate between a valid path and an invalidone, and thus using the onLoad and onError eventhandlers, the 'local file detection' is a piece ofcake.There isn't much of a documentation on the netregarding the "sysimage://", atleast google didn'tshow up anything useful :(Proof Of Concept================<img src="sysimage://C:\WINNT\Notepad.exe,666"onLoad="document.write('<b>Cannot Find File!</b>');"onError="document.write('<b>File Exists!</b>');">Demo====A demonstration is available at the following URL.http://crapware.lx.ro/junkcode/security/ie-sp1-sysimage-local-file-existence.htmGreetz to=========Liu Die Yu, Rakesh Balasunderrgds,Gregory R. Panakkal (aka JunkCode / Viper)________________________________________________________________________Yahoo! India Matrimony: Find your life partner onlineGo to:http://yahoo.shaadi.com/india-matrimonyCurrent thread:
- IE6 Vulnerability - Local File DetectionViPeR (Dec 07)
- Re: IE6 Vulnerability - Local File DetectionRSnake (Dec 08)