DescriptionTwo vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to disclose sensitive information.
1) An error in URLMON when handling redirections can be exploited to bypass domain restrictions and disclose the content of arbitrary local files.
This is related to vulnerability #1 in:
SA35362
2) An error when handling the "data" parameter of a dynamically created object can be exploited to disclose the content of arbitrary local files.
Successful exploitation of the vulnerabilities requires that the full path to a target file is known prior to the attack.
The vulnerabilities are reported in Internet Explorer 5.01, 6, 7, and 8.
Solution
Enable Network Protocol Lockdown for Windows XP, and Protected Mode on Windows Vista and later. Please see the vendor's advisory for more information.
Further details available in Customer Area
Provided and/or discovered by
Jorge Luis Álvarez Medina and Federico Muttis, Core Security Technologies
Changelog
Further details available in Customer Area
Original Advisory
Microsoft:
http://www.microsoft.com/technet/security/advisory/980088.mspx
Core Security Technologies:
http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag
Other references
Further details available in Customer Area
Deep Links
Links available in Customer Area
| User |
Message |
|
palisade
|
RE: Microsoft Internet Explorer Local File Disclosure Vulnerabilities |
|
31st Mar, 2010 15:07 |
Score: 19
Posts: 9
User Since: 26th Feb 2010
System Score: N/A
Location: US
Last edited on 31st Mar, 2010 15:07 |
I attempted to run the exploit sample for #2:
<script language="Javascript">
var obj = document.createElement("object");
obj.data = "file://127.0.0.1/C$/.../index.dat";
obj.type = "text/html";
obj.id = "obj_results";
obj.width = "500px";
obj.height = "300px";
document.body.appendChild(obj);
</script>
In the latest IE8 post recent patches. The first thing I noticed is that I receive this message preventing the script:
"To help protect your security, Internet Explorer has restricted this webpage from running scripts or ActiveX controls that could access your computer. Click here for options..."
The second thing that I noticed is then when I allowed the script to run, it did not display any data as it was suggested it would. Secunia might need to re-test this vulnerability in their labs and see if it is still relevant or not.
I was unable to exploit myself using this vulnerability.
When I ran the vuln in #1, with the code:
<object data="index.dat" type="text/html" width="100%" height="50"></object>
And, again it blocked it, I accepted, and then I received this warning:
Cannot find 'file:///C:/Documents%20and%20Settings/nrush/Deskt op/index.dat'. Make sure the path or Internet address is correct.
So, I created a index.dat on my desktop and typed it worked inside, reloaded, and it worked.
I'm not sure if I just didn't do the #2 vuln correctly and that's why it didn't work, or not. However, vuln #1 is definitely still exploitable.
|
|
|
| Was this reply relevant? |  | +0 | |  | -0 | |
|
|
|
|
You must be logged in to post a comment.
|