GreyMagic Security Advisory GM#004-IE ===================================== By GreyMagic Software, Israel. 02 Apr 2002. Available in HTML format at http://security.greymagic.com/adv/gm004-ie/. Topic: Reading portions of local files, depending on structure. Discovery date: 18 Feb 2002. Affected applications: ====================== All tested versions of Microsoft Internet Explorer (IE5+). Introduction: ============= Cascading Style Sheets (CSS) are a way to control how HTML elements look, it enables developers to separate content (HTML) from style. CSS can be embedded in a number of ways, one of them is to use an external file and link it to a document; this is done by utilizing the <link> element or the seldom used @import CSS rule. Discussion: =========== Using the cssText property of the styleSheet object it is possible to read portions (and sometimes whole) files, from local or remote locations. Almost any file that contains a curly-bracket ("{") character will be parsed by IE's CSS engine, it is then possible to read parts of the content using the cssText property. The problem is that invalid CSS attributes are kept within the cssText property even though they have no functional use, allowing malicious programmers access to that content. The problem is very apparent in C-style code files (Java, Perl, C#, etc.) and in configurations for many services (such as DNS, for example). [1] CSS: http://www.w3.org/TR/REC-CSS2/. [2] <link> element: http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/link.asp. [3] @import rule: http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/import. asp. [4] cssText property: http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/csstext .asp. [5] styleSheet object: http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/obj_styles heet.asp. Exploit: ======== This example attempts to read content from "c:/test.txt". <link id="oFile" rel="stylesheet" href="file://c:/test.txt" disabled> <script language="jscript"> onload=function () { alert(document.styleSheets.oFile.cssText || "Could not extract any text from file."); } </script> Solution: ========= Microsoft was first informed on 18 Feb 2002 (44 days ago), they have opened an investigation regarding this issue and will probably release a patch in the near future. Until a patch becomes available the only workaround is to disable Active Scripting. Tested on: ========== IE5sp2 NT4 sp6a, all patches. IE5.5sp2 Win98, all patches. IE5.5sp2 NT4 sp6a, all patches. IE6sp1 Win2000 sp2, all patches. IE6sp1 WinXP, all patches. Demonstration: ============== A fully dynamic proof-of-concept demonstration of this issue is available at http://security.greymagic.com/adv/gm004-ie/. Feedback: ========= Please mail any questions or comments to security@greymagic.com. - Copyright © 2002 GreyMagic Software.
