It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.
This issue was successfully verified on Internet Explorer 10 and
Internet Explorer 11. The HTML5 sandbox iframes is not available in
older versions of Internet Explorer.
Internet Explorer iframe sandbox local file name disclosure
vulnerability
------------------------------------------------------------------------
Yorick Koster, March 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.
------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- CVE-2016-3321
- MS16-095: Cumulative Security Update for Internet Explorer (3177356)
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Internet Explorer 10 and
Internet Explorer 11. The HTML5 sandbox iframes is not available in
older versions of Internet Explorer.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Microsoft released MS16-095 that fixes this vulnerability.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20160301/internet_explorer_iframe_sa
ndbox_local_file_name_disclosure_vulnerability.html
[ reply ]