I tried it on 3 pc's and it only worked when pressing refresh, something that can be concidered non trivial user interaction I just tried your suggestion under windows XP / IE6 SP1 it doesn't work Cannot find 'ftp://%@/... Make sure the path or Internet address is correct --jelmer ----- Original Message ----- From: "Andreas Sandblad" <sandblad@acc.umu.se> To: "Mindwarper *" <mindwarper@linuxmail.org> Cc: <bugtraq@securityfocus.com> Sent: Monday, October 27, 2003 9:32 PM Subject: Re: Internet Explorer and Opera local zone restriction bypass > Hi Mindwarper. > > It seems you can actually get it to work without pressing refresh and > without knowing the username (at least on my fully patched win2000 pro > machine). > > How? Remember the vulnerability > "Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vuln." > http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html > found by Eiji James Yoshida and published on Bugtraq 5 June 2003. It will > allow us to link to local files without knowing the username. > > Basically this will repeat the test I did: > - Infect mlsecurity.sol with html code by visiting: > http://www.mlsecurity.com/ie/wee.php > > - Create an iframe dynamically: > document.write('<iframe src=location.php><'+'/iframe>'); > > - Redirect to local file with the following http header: > Location: ftp://%@/../../../../Application Data/Macromedia/Flash > Player/mlsecurity.com/mlsecurity.sol > > No username needed, no refresh. > > Sincerely, > > Andreas Sandblad > > > On Fri, 24 Oct 2003, Mindwarper * wrote: > > > Internet Explorer and Opera local zone restriction bypass. > > =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= > > > > ---------------------- > > Vendor Information: > > ---------------------- > > > > Homepage : http://www.microsoft.com > > Vendor : informed > > Mailed advisory: 23/10/03 > > Vender Response : None yet > > > > > > ---------------------- > > Affected Versions: > > ---------------------- > > > > All version of IE 6 > > Possibly 5.x too > > > > > > ---------------------- > > Description: > > ---------------------- > > > > Microsoft Internet Explorer does not allow local file access by a remote host by default. > > By creating an iframe which points on a specially crafted cgi script (using the location header > > to confuse IE), it is possible to cause IE to execute any local file through the iframe with local > > zone restrictions. This then allows remote arbitrary file execution on the victim without having > > the victim do a thing except load the page. > > Opera seems to not only be affected by this vulnerability, but it also allows direct > > local file access through iframes without any cgi scripts. Unlike IE where it is possible > > to set activex objects to execute arbitrary files, in Opera it is not. There may be a way, > > but I am currently not aware of any. > > > > > > ---------------------- > > Exploit: > > ---------------------- > > > > I have created a proof of concept page, but I did not show or explain how the cgi scripts > > nor the flash file work exactly to prevent kiddie abuse. > > > > For IE: http://www.mlsecurity.com/ie/ie.htm > > > > For Opera: <iframe name="abc" src="file:///C:/"></iframe> > > > > ---------------------- > > Solution: > > ---------------------- > > > > Check Microsoft's website frequently until a new patch comes out. > > > > ---------------------- > > Contact: > > ---------------------- > > > > - Mindwarper > > - mindwarper@linuxmail.org > > - http://mlsecurity.com > > > > > > -- > _ _ > o' \,=./ `o > (o o) > -ooO--(_)--Ooo-
