TUCoPS :: Browsers :: expl5215.htm

Internet Explorer local file information retrieval.
29th Mar 2002 [SBWID-5215]
COMMAND

	IE local file information retrieval.

SYSTEMS AFFECTED

	 IE5sp2 NT4 sp6a, all possible patches.

	 IE5.5sp2 Win98, all patches.

	 IE5.5sp2 NT4 sp6a, all patches.

	 IE6sp1 Win2000 sp2, all patches.

	

	

PROBLEM

	In         GreyMagic         Security         Advisory         GM#003-IE
	[http://security.greymagic.com] :
	

	

	 Introduction:

	 =============

	

	The <img> element is commonly used  to  present  images  on  an  HTML
	document. However, it also contains a feature that allows it to  present
	other types of media, such as VRML, AVI, MPEG, etc.
	

	This feature was implemented in the form of a property named dynsrc.
	

	

	 Discussion:

	 ===========

	

	The problem lies within the  dynsrc  property\'s  implementation,  which
	completely ignores the source validity and gives script  access  to  the
	assigned file even if it is not presentable.
	

	Once a file name  has  been  assigned  to  the  dynsrc  property  it  is
	possible to see whether it exists by checking the fileSize  property  of
	the <img> element, if the return value is -1 then it is certain  that
	the file does not exist, any  greater  value  indicates  that  the  file
	exists.
	

	When a  file  has  been  known  to  exist  it  is  possible  to  extract
	additional information from the <img> element.
	

	Such as:
	

	 * The file size in bytes, using the fileSize property.

	 * The date the file was created, using the fileCreatedDate property.

	 * The date the file was last modified, using the fileModifiedDate property.

	 * The date the file was last updated, using the fileUpdatedDate property.

	

	A malicious attacker may use this bug in conjunction with other bugs  to
	detect files or determine whether the user has  specific  programs  (and
	even specific versions, according to size) installed, etc.
	

	

	 Exploit:

	 ========

	

	This simple example demonstrates how the bug is used  to  check  whether
	\"c:/test.txt\" exists and retrieves its  additional  properties  if  it
	does.
	

	

	<img dynsrc=\"file://c:/test.txt\" id=\"oFile\">

	<script language=\"jscript\" defer>

	setTimeout(

	        function () {

	                alert(

	                        oFile.fileSize>-1 ?

	                                \"File exists!\\n\\n\"+

	                                \"Size: \"+oFile.fileSize+\" bytes.\\n\"+

	                                \"Created: \"+oFile.fileCreatedDate+\".\\n\"+

	                                \"Modified: \"+oFile.fileModifiedDate+\".\\n\"+

	                                \"Updated: \"+oFile.fileUpdatedDate+\".\"

	                        :

	                                \"File does not exist.\"

	                );

	        },

	        250

	);

	</script>

	

	

	

SOLUTION

	Until a patch becomes  available  the  only  workaround  is  to  disable
	Active Scripting.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH