SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Web Browser)  >  Internet Explorer (IE) Vendors:  Microsoft
Microsoft Internet Explorer Discloses The Existence of and Details of Local Files to Remote Users
Date:  Mar 27 2002
Impact:  Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 5, 5.01, 5.5, 6.0
Description:  GreyMagic Security issued an advisory warning of a vulnerability in Microsoft's Internet Explorer web browser. The 'dynsrc' image tag property may let remote users determine details of local files on the target (victim) user's computer.

A remote user can reportedly create a script that, when executed on another user's computer, can test for the presence of named files on that user's system.

It is reported that the 'dynsrc' propertly contains a feature to allog the <img> element to present other types of media (e.g., VRML, AVI, MPEG) but ignores the source validity and allows the script to access to the specified file even if it is not presentable media.

It is reported that once a file name has been assigned to the dynsrc property, a remotely supplied script can check whether the file exists by checking the fileSize property of the <img> element. If the return value is -1, then the file does not exist, according to the report. If the return value is greater, then the file exists.

It is reported that a remotely supplied script can extract additional information from the <img> element about an existing file, including:

* The file size in bytes, using the fileSize property.
* The date the file was created, using the fileCreatedDate property.
* The date the file was last modified, using the fileModifiedDate property.
* The date the file was last updated, using the fileUpdatedDate property.

Some demonstration exploit code is provided in the Source Message. Also, a working demonstration is available at:

http://security.greymagic.com/adv/gm003 -ie/

The vendor has reportedly been notified. exploitcode:This simple example demonstrates how the bug is used to check whether
"c:/test.txt" exists and retrieves its additional properties if it does.

<img dynsrc="file://c:/test.txt" id="oFile">
<script language="jscript" defer>
setTimeout(
function () {
alert(
oFile.fileSize>-1 ?
"File exists!\n\n"+
"Size: "+oFile.fileSize+" bytes.\n"+
"Created: "+oFile.fileCreatedDate+".\n"+
"Modified: "+oFile.fileModifiedDate+".\n"+
"Updated: "+oFile.fileUpdatedDate+"."
:
"File does not exist."
);
},
250
);
</script>
Impact:  A remote user can create a script that can test for the presence of named files on the target (victim) user's computer and, if the files exist, can retrieve information about the files.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Windows (Any)
Reported By:  "GreyMagic Software" <security@greymagic.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 27 Mar 2002 02:21:56 +0200
From:  "GreyMagic Software" <security@greymagic.com>
Subject:  Retrieving information on local files in IE (GM#003-IE)

 

GreyMagic Security Advisory GM#003-IE
=====================================

By GreyMagic Software, Israel.
27 Mar 2002.

Available in HTML format at http://security.greymagic.com/adv/gm003-ie/.

Topic: Retrieving information on local files in IE.

Discovery date: 18 Feb 2002.

Affected applications:
======================

All tested versions of Microsoft Internet Explorer (IE5+); prior versions
may be vulnerable as well.


Introduction:
=============

The <img> element is commonly used to present images on an HTML document.
However, it also contains a feature that allows it to present other types of
media, such as VRML, AVI, MPEG, etc.

This feature was implemented in the form of a property named dynsrc.


Discussion:
===========

The problem lies within the dynsrc property's implementation, which
completely ignores the source validity and gives script access to the
assigned file even if it is not presentable.

Once a file name has been assigned to the dynsrc property it is possible to
see whether it exists by checking the fileSize property of the <img>
element, if the return value is -1 then it is certain that the file does not
exist, any greater value indicates that the file exists.

When a file has been known to exist it is possible to extract additional
information from the <img> element.

Such as:

* The file size in bytes, using the fileSize property.
* The date the file was created, using the fileCreatedDate property.
* The date the file was last modified, using the fileModifiedDate property.
* The date the file was last updated, using the fileUpdatedDate property.

A malicious attacker may use this bug in conjunction with other bugs to
detect files or determine whether the user has specific programs (and even
specific versions, according to size) installed, etc.


Exploit:
========

This simple example demonstrates how the bug is used to check whether
"c:/test.txt" exists and retrieves its additional properties if it does.

<img dynsrc="file://c:/test.txt" id="oFile">
<script language="jscript" defer>
setTimeout(
        function () {
                alert(
                        oFile.fileSize>-1 ?
                                "File exists!\n\n"+
                                "Size: "+oFile.fileSize+" bytes.\n"+
                                "Created: "+oFile.fileCreatedDate+".\n"+
                                "Modified: "+oFile.fileModifiedDate+".\n"+
                                "Updated: "+oFile.fileUpdatedDate+"."
                        :
                                "File does not exist."
                );
        },
        250
);
</script>


Solution:
=========

Microsoft was first informed on 18 Feb 2002 (38 days ago), they have opened
an investigation regarding this issue and will probably release a patch in
the near future.

Until a patch becomes available the only workaround is to disable Active
Scripting.


Tested on:
==========

IE5sp2 NT4 sp6a, all possible patches.
IE5.5sp2 Win98, all patches.
IE5.5sp2 NT4 sp6a, all patches.
IE6sp1 Win2000 sp2, all patches.


Demonstration:
==============

A fully dynamic proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/adv/gm003-ie/.


Feedback:
=========

Please mail any questions or comments to security@greymagic.com.

- Copyright © 2002 GreyMagic Software.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC