-----BEGIN PGP SIGNED MESSAGE-----
Core Security Technologies - CoreLabs Advisory
Internet Explorer Security Zone restrictions bypass
1. *Advisory Information*
Title: Internet Explorer Security Zone restrictions bypass
Advisory ID: CORE-2008-0826
Advisory URL: http://www.coresecurity.com/content/ie-security-zone-bypass
Date published: 2009-06-09
Date of last update: 2009-06-09
Vendors contacted: Microsoft
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Client side
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: 33178
CVE Name: CVE-2009-1140
3. *Vulnerability Description*
Internet Explorer (IE) is the most widely used Web browser, with an
estimated count of 1,100 million users according to a worldwide survey
conducted and published in 2008 . This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
locally on the victim's system. If the entire path name can be
predicted, the attacker can cause a redirection to the locally stored
file using an URI specified in UNC form and force the local content to
be rendered as an HTML document, which will permit to run scripting
commands and instantiate certain ActiveX controls.
As a result of a successful attack, security or privacy-sensitive
information can be obtained by an attacker including but not limited to
user authentication credentials for any web application domain, HTTP
cookies, session management data, cached content of web applications in
different domains and any files stored on local filesystems.
The bug is related to a lack of enforcement of security policies
assigned to URL Security Zones  when content from the corresponding
zone is loaded and rendered from a local file. These issues have been
found in the way that security policies are applied when a URI is
specified in the UNC form (i.e., '\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'):
1. When a remote site attempts to access a local resource, IE will
fail to enforce the Zone Elevation restrictions.
2. When browsing a remote site, IE will not properly enforce the
Security Zone permissions, allowing a site belonging to a less secure
zone to be treated as belonging to a more privileged one.
4. *Vulnerable packages*
. Internet Explorer 5.01 Service Pack 4
. Internet Explorer 6.0
. Internet Explorer 6.0 Service Pack 1
. Internet Explorer 7 (not exploitable with Protected mode on,
available on Vista)
4.1. *Vulnerable platforms*
. Microsoft Windows 2000 up to and including Service Pack 4
. Microsoft Windows Server 2003 up to and including Service Pack 2
. Microsoft Windows XP up to and including Service Pack 3
. Windows Vista up to and including Service Pack 1 (not exploitable
with IE running with Protected mode on)
. Windows Server 2008
5. *Non-vulnerable packages*
. Internet Explorer 8 under Windows 2000/2003/XP/Vista
6. *Vendor Information, Solutions and Workarounds*
The following workarounds can prevent exploitation of the vulnerability:
. Use Internet Explorer's Protocol Lockdown feature control to
restrict the "file" protocol to prevent HTML from UNC path to run script
or ActiveX controls.
. Set the Security Level setting for the Internet and Intranet Zones
to High to prevent IE from running scripts or ActiveX controls.
. Manually disable Active Scripting for the Internet and Intranet
Zone with a custom security setting.
. Only run IE in Protected Mode if it is available on the operating
. Use a different web browser to navigate untrusted web sites.
Additionally, although disabling file sharing if it is not necessary and
filtering outbound SMB connections at the endpoint or network perimeter
may not prevent exploitation it is generally a good security measure to
prevent disclosure of sensitive information such as valid usernames of
Microsoft has issued a patch to fix the vulnerability and a detailed
description of how to implement the workarounds on IE. It is available
as Security Bulletin http://go.microsoft.com/fwlink/?LinkID=150860.
Microsoft's Research and Defense blog has further discussion about the
vulnerability, workarounds and mitigations .
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Consulting Services (SCS). Additional research
was made by Federico Muttis from Core Security Exploit Writers Team (EWT).
8. *Technical Description / Proof of Concept Code*
Internet Explorer uses a feature known as URL Security Zones , which
defines a set of privileges for Web sites and applications depending on
their apparent level of trustworthiness. The zones available in the
. *Internet Zone: * For Web sites on the Internet that do not belong
to another zone.
. *Local Intranet Zone: * For content located on an organization's
. *Trusted Sites Zone: * For content located on Web sites that are
considered more reputable or trustworthy than other sites on the Internet.
. *Restricted Sites Zone: * For Web sites that contain content that
can cause (or have previously caused) problems when downloaded.
. *Local Machine Zone: * This is an implicit zone for content that
exists on the local computer and it is not directly configurable through
Internet Explorer security options by the user.
Internet Explorer users or Administrators can assign specific websites
or domains to any of the available zone except the Local Machine Zone.
The ability for a given website to perform security-sensitive operations
on the web browser is determined by the *Security Level* of the zone to
which the site was assigned. Each zone can be set to one of three preset
security levels (High, Medium-High, Medium) or to a custom level with
security policy settings specified by the user or administrator.
By default, all websites that are determined not to be in the Local
Intranet zone and are not explicitly listed in the Restricted Sites or
Trusted Sites zones are assigned the *Internet Zone* which has a default
security setting of Medium-High. Thus, for most IE users the
security-sensitive actions that a browser is allowed to perform while
connected to an untrusted Internet site are those specified by the
security policies of the Internet Zone at the Medium-High security level.
There are some issues in the way IE enforces zone security policies when
an URI is specified in the UNC form (i.e.,
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'). In this case, Internet
Explorer classifies as *Internet Zone* any UNC address pointing to an IP
address including '127.0.0.1'. As a result, any website (belonging to
any security zone) can address and redirect the navigation flow to files
stored in '\\127.0.0.1'.
If an attacker controlling a website finds a way to store HTML with any
valid scripting code the local file system of the visitor and then
redirects the browser's navigation flow that local file
('\\127.0.0.1\full_file_name'), then this code will be loaded and
rendered as if it belonged to the *Internet Zone* but since the file
containing it is stored in '\\127.0.0.1' it would also be able to access
any other file on the visitor's file system.
The problem is derived from the sequence of actions performed by
Internet Explorer to determine the content-type of the content to be
loaded and the appropriate way to render it. The algorithm followed for
this purpose is described in Microsoft's Knowledgebase article titled
MIME Type Detection in Internet Explorer  and implemented in the
function 'FindMimeFromData' in 'URLMON.DLL'.
In the following section, proof of concept code is provided to
demonstrate the problem using the local storage used by Internet
Explorer to store the user's browsing history to deliver HTML with
scripting code and force IE to render it. This analysis is valid for any
Windows NT based operating system but should be slightly modified to run
under Windows Vista. It takes advantage of the following features:
1. The IE user's browsing history is compounded of different files
and folders. One of these files is named 'index.dat', and is usually
located at: 'C:\Documents and settings\USERNAME\Local
settings\History\History.IE5\index.dat'. Although the format of this
file is not entirely text, IE will store every visited URL including any
parameters in the query string in plain text.
2. Although the aforementioned folder cannot be directly browsed
using Windows Explorer or Internet Explorer, it can be browsed and
viewed by referring to the same folder using the UNC notation:
'\\[COMPUTERNAME|127.0.0.1]\C$\Documents and settings\USERNAME\Local
3. There are some HTML tags which allow to embed contents from
external files and treat them with a specific format disregarding the
file extension. For example, the HTML '' tag:
It allows to set the MIME type (in the type attribute) of an externally
referenced file in the data attribute which will be loaded as an object.
4. Internet Explorer behaves in a slightly different way when
displaying a page directly rather than displaying that page inside an
HTML '' tag. For example, a page containing an HTML '