|
Affected Software : Microsoft Internet Explorer Vulnerability : Local File Detection Tested On : MS IE 6.0 SP1, Win2K SP4, [up-to-date] according to windowsupdate.com Discovered by : Gregory R. Panakkal Overview ======== This security vulnerability in Internet Explorer allows remote attackers to discover what software is installed on the remote computer, by testing for the existence of certain files. The "sysimage://" protocol is used to display the appropriate icon corresponding to a file path when viewed from MSIE. The default behaviour is such, that if a existing file-path is given as input, it displays the approritate icon [as described above], but if the file-path supplied doesn't exists, it loads the icon of a folder instead [ie, it gives out no error]. But as always, there is a way to bypass it.. and let us differentiate between a valid path and an invalid one, and thus using the onLoad and onError event handlers, the 'local file detection' is a piece of cake. There isn't much of a documentation on the net regarding the "sysimage://", atleast google didn't show up anything useful :( Proof Of Concept ================ Demo ==== A demonstration is available at the following URL. http://crapware.lx.ro/junkcode/security/ie-sp1-sysimage-local-file-exist ence.htm Greetz to ========= Liu Die Yu, Rakesh Balasunder rgds, Gregory R. Panakkal (aka JunkCode / Viper) ________________________________________________________________________ Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony