Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: expl5236.htm

Internet Explorer security zone bypassed



3rd Apr 2002 [SBWID-5236]
COMMAND

	Internet Explorer security zone bypassed

SYSTEMS AFFECTED

	Internet Explorer 6.0, 5.5, 5.01

PROBLEM

	Andreas Sandblad [sandblad@acc.umu.se] reported :
	

	In order for IE to parse a local file as a html  document  the  filename
	extension must be associated with  html  documents  (normally  .htm  and
	.html). Also the file cannot be binary. This is  good  security  because
	several  types  of  userdata  is  stored  in   local   files   (cookies,
	favorites/bookmarks, application userdata etc). The problem is  that  IE
	can be tricked into thinking that any non binary local file  is  a  html
	document.
	

	 ::: ATTACK :::

	

	The Cookie attack:

	

	A cookie containing html code is set on the user\'s  system.  Using  the
	trick we can make IE loading the cookie file as a  html  document.  Once
	loaded it will operate in the local zone.
	

	The favorite/bookmark attack:

	

	Assume an user accept to add a  favorite/bookmark.  If  we  placed  html
	code in the favorite\'s url, we can then load the favorite file  in  the
	same way as in the cookie attack. The file  will  be  operating  in  the
	local zone.
	

	Winamp attack (if Winamp is installed):

	

	Winamp      stores      current      playlist      in       \"c:/program
	files/winamp/winamp.m3u\". The playlist will  contain  artist  name  and
	song title. If we inject html code in the artist/title  of  a  mp3  file
	that is loaded remotely, the new playlist file will  be  saved  together
	with html code. Using the trick the local playlist file  can  be  loaded
	and operate in the local zone. Since the playlist file will contain  the
	exact path to the \"temporarily internet folder\", we can using the  old
	\".chm helpfile attack\" run arbitrary code.

SOLUTION

	Microsoft released a  patch  28  march,  \"Microsoft  Security  Bulletin
	MS02-015\"
	

	-However-
	

	The patch released by Microsoft  doesn\'t  adress  the  actual  problem,
	because it simply disallow  local  files  in  the  cookie  directory  to
	script in the local zone. It doesn\'t take care of  the  issue  that  IE
	can be tricked to parse any non binary file as html document.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH