|
Microsoft Internet Explorer Local Zone Access
|
|
Secunia Advisory:
|
SA10157
|
|
|
Release Date:
|
2003-11-07
|
|
Last Update:
|
2004-08-20
|
|
Popularity:
|
26,788 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Security Bypass
Exposure of sensitive information
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
Description:
Multiple vulnerabilities have been identified in Internet Explorer allowing malicious HTML documents such as web sites to access resources in the Local Zone.
1) Double slash zone transfer
The use of a double slash ":\\" in a CODEBASE resource location can be used to bypass the security check in Internet Explorer. This can potentially be exploited to cause Internet Explorer to access local resources.
2) Userprofile disclosure
It is possible to access files in the current user profile without knowing the username by substituting it with "file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}". It is also possible to see the current user profile with the following javascript "alert(window.open("file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}/res::"))". This can only be exploited if Internet Explorer is operating in Local Zone.
3) Redirection and Refresh in IFRAME parses local file
It is possible to make Internet Explorer parse a local file by creating an IFRAME, which has a SRC poiting to a remote source that redirects to a local resource. Parsing of the local file requires the IFRAME to be refreshed, which can be done automatically using scripting.
A proof of concept exploit has been published. This exploit combines the above vulnerabilities with some older vulnerabilities and a bug in Flash player to install and execute arbitrary code.
The vulnerabilities have been reported to affect Internet Explorer 5, 5.5, and 6 with all current patches.
Solution:
The vulnerabilities have been fixed silently in some cumulative security update.
Provided and/or discovered by:
1 & 2) Liu Die Yu
3) Mindwarper
Changelog:
2004-08-20: Updated "Solution" section.
Original Advisory:
Double slash zone transfer:
http://www.safecenter.net/UMBRELLAWEB...ForCache/DblSlashForCache-Content.htm
Redirection and Refresh in Iframe parses local file:
http://www.safecenter.net/UMBRELLAWEB...irNrefresh/IredirNrefresh-Content.htm
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
