RE: IE 5

[snooker2 () market1 com (Robert W. Miller)]

> Going on to my question, I was recently using Micro$oft Internet
Explorer
> 5.0 to do FTP to a site which requires me to login , so I do login
and get
> my files. the next time I typed the words "ftp://"; in the location
box in
> the browser, to my shock it displayed the history of ftp with my
login
> name and password in clear text like
"password () domain com">ftp://loginname:password () domain com</A>"
> So if anybody who  used that brower to ftp will have access to my
account.

This was posted last week to the securiteam list:

The following security advisory is sent to the securiteam mailing
list, and can be found at the SecuriTeam web site:
http://www.securiteam.com

          Internet Explorer 5 allows attackers to read local files
----------------------------------------------------------------------
----------

SUMMARY

Internet Explorer 5 is beginning to look like a real security problem,
when a newly discovered security hole allows web sites to read local
files of IE 5 users.
This hole (like previous ones) involves a flaw in IE's active code
implementation.

DETAILS

Background
IE includes a new feature called "
<http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=DHTML> DHTML
behaviors" which allows web builders to define properties and events
for certain  <http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=HTML>
HTML and  <http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=XML> XML
elements.
Internet Explorer has a predefined set of DHTML behaviors. One of them
is the 'downloading' behavior - this behavior is defined as
'downloading a file and executing a certain JavaScript function on
this file'. The downloading should only be allowed for the same IE
security zone the web site is in (for example, an Intranet site is
allowed to download files from the local Intranet, but an Internet
site is only allowed to download files from the Internet).

However, a flaw in Internet Explorer implementation of this function,
allows web sites to read local files by 'downloading' them and
executing JavaScript functions to read them (or to send them to the
attacker). This flaw is exploited by an HTTP redirect method.

How the exploit works

1. The user reaches the malicious web site and views an HTML page
(http://www.example.com/index.htm)
2. The HTML page contains an active script with the
"#default#download" behavior, requesting to download the file
http://www.example.com/download.exe
3. This method causes IE to execute the startDownload method. This
method receives two parameters: The URL to download, and the function
to execute when the download finishes. IE starts downloading the file
download.exe from www.example.com. This is allowed, since the security
zone is still the Internet
4. When IE starts to download the file, the HTTP server redirects IE's
downloading request from http://www.example.com/download.exe to:
C:\WINNT\system32\repair\SAM.
5. When the download is over, the JavaScript function specified in
startDownload is run. This can be used to post the content of the file
(in this case, the password database for this Windows NT workstation)
to this web site.

Solution
As always, the recommended solution is to disable Internet Explorer's
active scripting abilities:
* In IE, select Tools | Internet Options, then click on the Security
tab.
* Select the Internet Zone, and click on the "Custom Level" button.
* Under "Scripting", find the entry labeled "Active Scripting" and set
it to "Disable".
* Click OK twice to return to IE

ADDITIONAL INFORMATION

This vulnerability was discovered by  <mailto:joro () NAT BG> Georgi
Guninski.
Previous security problems in Internet Explorer 5:

<http://www.securiteam.com/windowsntfocus/Import-Export-Favorites_vuln
erability_in_Internet_Explorer.html>  Import-Export-Favorites
vulnerability in Internet Explorer

<http://www.securiteam.com/windowsntfocus/A_flaw_in_IE_5_0_ActiveX_con
trol_allows_executing_programs.html> A flaw in IE 5.0 ActiveX control
allows executing programs

<http://www.securiteam.com/windowsntfocus/IE5_FTP_Passwords_stored_in_
clear_text_in_Windows_NT.html> IE5 FTP Passwords stored in clear text
in Windows NT

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe () securiteam com
In order to subscribe to the mailing list, simply forward this email
to: list-subscribe () securiteam com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits
or special damages.

Det. Robert W. Miller
Member Colorado Internet Crimes Against Children Task Force
Member Pueblo High Tech. Crimes Unit
Pueblo County Sheriff Office
909 Court St.
Pueblo, CO. 81003
Tel (719)583-4736
FAX (719)583-4732
mailto:snooker2 () market1 com
http://www.co.pueblo.co.us/sheriff/

<!-- attachment="Robert_W._Miller.vcf" -->
<HR>
<UL>
<LI>text/x-vcard attachment: Robert_W._Miller.vcf
</UL>